IBM Support

PI46156: ICH408I AS THE SERVANT USERID ATTEMPTS TO CREATE AND DELETE THE OAUTH20 DIRECTORY.

Fixes are available

8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • After the introduction of oauth20 support into WebSphere 8.0
customer is receiving consistent RACF failures during servant
initialisation as the servant userid attempts to create and
delete the oauth20 directory:
ICH408I USER(KTSYSI3B) GROUP(@YSI3B0 ) NAME(WAS AS T1A02 I3B0)
/var/KTS/T1A02/AppServer/profiles/default/config/cells/zosCET1A0
2/oauth20.
CL(DIRACC  ) FID(C3C8C6F0F0F439530000000006891A85)
INSUFFICIENT AUTHORITY TO MKDIR
ACCESS INTENT(-W-)  ACCESS ALLOWED(GROUP ACL  R-X)
EFFECTIVE UID(0000004706)  EFFECTIVE GID(0000005206)
.
Customer does not allow the userid to write to the root of the
WebSphere cell directory, so need a mechanism to re-direct
the location of this directory.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  All IBM WebSphere Application Server        *
*                  administrators                              *
****************************************************************
* PROBLEM DESCRIPTION: Error appears in log when OAuth TAI     *
*                      startup process attempts to create      *
*                      oauth20 directory                       *
****************************************************************
* RECOMMENDATION:  Install a fix pack that contains this       *
*                  APAR.                                       *
****************************************************************
The OAuth Trust Association Interceptor (TAI) startup
processing requires write access to the
(user.install.root)/config/cells/(cellName) directory.  In
that directory, it creates a directory called oauth20.  Errors
will appear in the log if the startup process is unable to
access this directory.  If an application server is not
configured to use the OAuth TAI, this should not be an error.

    



Problem conclusion


    

  • The OAuth TAI startup process is run whether the OAuth TAI is
configured or not.  The OAuth TAI startup process does not
need to run if either the OAuth TAI is not configured or TAI
processing is not enabled.

The OAuth TAI is updated so that its startup process will only
run if TAI processing is enabled and the OAuth TAI is
configured.

APAR PI46156 is currently targeted for inclusion in WebSphere
Application Server Fix Packs 8.0.0.13, and 8.5.5.10.

In addition, sysroute APAR PI60762 will deliver the fix in
WebSphere Application Server V7.0 Fix Pack 7.0.0.43.

Please refer to the Recommended Updates page for delivery
information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

In addition, please refer to URL:
http://www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
for Fix Pack PTF information.

Keywords: IBMWL3WSS, OAUTH

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PI46156
    • 

  • Reported component name
    WEBSPHERE FOR Z
    • 

  • Reported component ID
    5655I3500
    • 

  • Reported release
    800
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2015-08-03
    • 

  • Closed date
    2016-04-13
    • 

  • Last modified date
    2016-04-13
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
PI60762
    

    • 



Fix information


    

  • Fixed component name
    WEBSPHERE FOR Z
    • 

  • Fixed component ID
    5655I3500
    • 



Applicable component levels


    

  • R800  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"800","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            28 April 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback