IBM Support

PI56919: ILLEGALARGUMENTEXCEPTION: COM.IBM.WS.SECURITY.SAF.SAFEXCEPTION: CWWKS2910E: SAF SERVICE IRRSIA00_CREATE DID NOT SUCCEED.

Fixes are available

16.0.0.2: WebSphere Application Server Liberty 16.0.0.2
16.0.0.3: WebSphere Application Server Liberty 16.0.0.3
16.0.0.4: WebSphere Application Server Liberty 16.0.0.4
17.0.0.1: WebSphere Application Server Liberty 17.0.0.1
17.0.0.2: WebSphere Application Server Liberty 17.0.0.2
17.0.0.3: WebSphere Application Server Liberty 17.0.0.3
17.0.0.4: WebSphere Application Server Liberty 17.0.0.4
18.0.0.1: WebSphere Application Server Liberty 18.0.0.1
18.0.0.2: WebSphere Application Server Liberty 18.0.0.2
18.0.0.3: WebSphere Application Server Liberty 18.0.0.3
18.0.0.4: WebSphere Application Server Liberty 18.0.0.4
19.0.0.1: WebSphere Application Server Liberty 19.0.0.1
19.0.0.2: WebSphere Application Server Liberty 19.0.0.2
19.0.0.3: WebSphere Application Server Liberty 19.0.0.3
19.0.0.4: WebSphere Application Server Liberty 19.0.0.4
19.0.0.5: WebSphere Application Server Liberty 19.0.0.5
19.0.0.6: WebSphere Application Server Liberty 19.0.0.6
19.0.0.7: WebSphere Application Server Liberty 19.0.0.7
19.0.0.8: WebSphere Application Server Liberty 19.0.0.8
19.0.0.9: WebSphere Application Server Liberty 19.0.0.9
19.0.0.10: WebSphere Application Server Liberty 19.0.0.10
19.0.0.11: WebSphere Application Server Liberty 19.0.0.11
19.0.0.12: WebSphere Application Server Liberty 19.0.0.12
20.0.0.1: WebSphere Application Server Liberty 20.0.0.1
20.0.0.2: WebSphere Application Server Liberty 20.0.0.2
20.0.0.3: WebSphere Application Server Liberty 20.0.0.3
20.0.0.4: WebSphere Application Server Liberty 20.0.0.4
20.0.0.5: WebSphere Application Server Liberty 20.0.0.5
20.0.0.6: WebSphere Application Server Liberty 20.0.0.6
20.0.0.7: WebSphere Application Server Liberty 20.0.0.7
20.0.0.8: WebSphere Application Server Liberty 20.0.0.8
20.0.0.9: WebSphere Application Server Liberty 20.0.0.9
20.0.0.10: WebSphere Application Server Liberty 20.0.0.10
20.0.0.11: WebSphere Application Server Liberty 20.0.0.11
20.0.0.12: WebSphere Application Server Liberty 20.0.0.12
21.0.0.3: WebSphere Application Server Liberty 21.0.0.3
21.0.0.4: WebSphere Application Server Liberty 21.0.0.4
21.0.0.5: WebSphere Application Server Liberty 21.0.0.5
21.0.0.6: WebSphere Application Server Liberty 21.0.0.6
21.0.0.7: WebSphere Application Server Liberty 21.0.0.7
21.0.0.8: WebSphere Application Server Liberty 21.0.0.8
21.0.0.9: WebSphere Application Server Liberty 21.0.0.9
21.0.0.1: WebSphere Application Server Liberty 21.0.0.1
21.0.0.2: WebSphere Application Server Liberty 21.0.0.2
21.0.0.10: WebSphere Application Server Liberty 21.0.0.10
21.0.0.11: WebSphere Application Server Liberty 21.0.0.11
21.0.0.12: WebSphere Application Server Liberty 21.0.0.12
22.0.0.1: WebSphere Application Server Liberty 22.0.0.1
22.0.0.2: WebSphere Application Server Liberty 22.0.0.2
22.0.0.3: WebSphere Application Server Liberty 22.0.0.3
22.0.0.4: WebSphere Application Server Liberty 22.0.0.4

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Authorization for web app fails due to
    java.lang.IllegalArgumentException:
    com.ibm.ws.security.saf.SAFException: CWWKS2910E: SAF
    service
    IRRSIA00_CREATE did not succeed.
    SAFAuthorizationService.isEveryoneGranted is unable to
    create a
    SAF credential (via initACEE) for the unauthenticated user
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server Liberty Profile for z/OS             *
    ****************************************************************
    * PROBLEM DESCRIPTION: IllegalArgumentException / SAFException *
    *                      CWWKS2910E IRRSIA00_CREATE error causes *
    *                      login failure                           *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    A user login attempt fails due to an IllegalArgumentException,
    caused by a SAFException.  The SAFException has a message
    similar to the following:
    
    CWWKS2910E: SAF service IRRSIA00_CREATE did not succeed. SAF
    return code 0x00000008. RACF return code 0x00000008. RACF reason
    code 0x00000020. Internal error code 0x00000006.
    
    The SAFException is caused by a failure to build a SAF ACEE (via
    native service IRRSIA00 / initACEE) for the unauthenticated
    user.
    
    One scenario where this can happen is if:
    (a) the SAF APPL class is activated, and
    (b) the unauthenticated user is not permitted to authenticate to
    the APPL
    
    Regardless of the unauthenticated user's permissions, the
    failure to create an ACEE for the unauthenticated user should
    not cause the user login to fail.
    

Problem conclusion

  • The code was updated to catch and suppress the
    IllegalArgumentException / SAFException caused by the failure to
    create an ACEE for the unauthenticated user.  This allows the
    user login to proceed normally.  It is a valid Liberty
    configuration for the unauthenticated user to not be permitted
    to create an ACEE for itself.
    
    The fix for this APAR is currently targeted for inclusion in fix
    pack 16.0.0.2.  Please refer to the Recommended Updates page for
    delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

  • One scenario where this can happen is if:
    (a) the SAF APPL class is activated, and
    (b) the unauthenticated user is not permitted to authenticate to
    the APPL
    
    To workaround, you can either:
    (a) deactivate the SAF APPL class, or
    (b) grant the unauthenticated user permission to authenticate to
    the APPL
    
    In order to be authenticated to the APPL, the unauthenticated
    user must be granted READ permission to the "<profilePrefix>"
    profile in the APPL class.
    
    The <profilePrefix> is configured in Liberty via <safCredentials
    profilePrefix="xx" />.  The default is "BBGZDFLT".
    
    The unauthenticated user is configured via <safCredentials
    unauthenticatedUser="xx">.  The default is "WSGUEST".
    

Comments

APAR Information

  • APAR number

    PI56919

  • Reported component name

    LIBERTY PROF -

  • Reported component ID

    5655W6514

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-02-09

  • Closed date

    2016-02-25

  • Last modified date

    2016-06-13

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    PI56967

Fix information

  • Fixed component name

    LIBERTY PROF -

  • Fixed component ID

    5655W6514

Applicable component levels

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
03 May 2022