Fixes are available
16.0.0.2: WebSphere Application Server Liberty 16.0.0.2
16.0.0.3: WebSphere Application Server Liberty 16.0.0.3
16.0.0.4: WebSphere Application Server Liberty 16.0.0.4
17.0.0.1: WebSphere Application Server Liberty 17.0.0.1
17.0.0.2: WebSphere Application Server Liberty 17.0.0.2
17.0.0.3: WebSphere Application Server Liberty 17.0.0.3
17.0.0.4: WebSphere Application Server Liberty 17.0.0.4
18.0.0.1: WebSphere Application Server Liberty 18.0.0.1
18.0.0.2: WebSphere Application Server Liberty 18.0.0.2
18.0.0.3: WebSphere Application Server Liberty 18.0.0.3
18.0.0.4: WebSphere Application Server Liberty 18.0.0.4
19.0.0.1: WebSphere Application Server Liberty 19.0.0.1
19.0.0.2: WebSphere Application Server Liberty 19.0.0.2
19.0.0.3: WebSphere Application Server Liberty 19.0.0.3
19.0.0.4: WebSphere Application Server Liberty 19.0.0.4
19.0.0.5: WebSphere Application Server Liberty 19.0.0.5
19.0.0.6: WebSphere Application Server Liberty 19.0.0.6
19.0.0.7: WebSphere Application Server Liberty 19.0.0.7
19.0.0.8: WebSphere Application Server Liberty 19.0.0.8
19.0.0.9: WebSphere Application Server Liberty 19.0.0.9
19.0.0.10: WebSphere Application Server Liberty 19.0.0.10
19.0.0.11: WebSphere Application Server Liberty 19.0.0.11
19.0.0.12: WebSphere Application Server Liberty 19.0.0.12
20.0.0.1: WebSphere Application Server Liberty 20.0.0.1
20.0.0.2: WebSphere Application Server Liberty 20.0.0.2
20.0.0.3: WebSphere Application Server Liberty 20.0.0.3
20.0.0.4: WebSphere Application Server Liberty 20.0.0.4
20.0.0.5: WebSphere Application Server Liberty 20.0.0.5
20.0.0.6: WebSphere Application Server Liberty 20.0.0.6
20.0.0.7: WebSphere Application Server Liberty 20.0.0.7
20.0.0.8: WebSphere Application Server Liberty 20.0.0.8
20.0.0.9: WebSphere Application Server Liberty 20.0.0.9
20.0.0.10: WebSphere Application Server Liberty 20.0.0.10
20.0.0.11: WebSphere Application Server Liberty 20.0.0.11
20.0.0.12: WebSphere Application Server Liberty 20.0.0.12
21.0.0.3: WebSphere Application Server Liberty 21.0.0.3
21.0.0.4: WebSphere Application Server Liberty 21.0.0.4
21.0.0.5: WebSphere Application Server Liberty 21.0.0.5
21.0.0.6: WebSphere Application Server Liberty 21.0.0.6
21.0.0.7: WebSphere Application Server Liberty 21.0.0.7
21.0.0.8: WebSphere Application Server Liberty 21.0.0.8
21.0.0.9: WebSphere Application Server Liberty 21.0.0.9
21.0.0.1: WebSphere Application Server Liberty 21.0.0.1
21.0.0.2: WebSphere Application Server Liberty 21.0.0.2
21.0.0.10: WebSphere Application Server Liberty 21.0.0.10
21.0.0.11: WebSphere Application Server Liberty 21.0.0.11
21.0.0.12: WebSphere Application Server Liberty 21.0.0.12
22.0.0.1: WebSphere Application Server Liberty 22.0.0.1
22.0.0.2: WebSphere Application Server Liberty 22.0.0.2
22.0.0.3: WebSphere Application Server Liberty 22.0.0.3
22.0.0.4: WebSphere Application Server Liberty 22.0.0.4
APAR status
Closed as program error.
Error description
Authorization for web app fails due to java.lang.IllegalArgumentException: com.ibm.ws.security.saf.SAFException: CWWKS2910E: SAF service IRRSIA00_CREATE did not succeed. SAFAuthorizationService.isEveryoneGranted is unable to create a SAF credential (via initACEE) for the unauthenticated user
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server Liberty Profile for z/OS * **************************************************************** * PROBLEM DESCRIPTION: IllegalArgumentException / SAFException * * CWWKS2910E IRRSIA00_CREATE error causes * * login failure * **************************************************************** * RECOMMENDATION: * **************************************************************** A user login attempt fails due to an IllegalArgumentException, caused by a SAFException. The SAFException has a message similar to the following: CWWKS2910E: SAF service IRRSIA00_CREATE did not succeed. SAF return code 0x00000008. RACF return code 0x00000008. RACF reason code 0x00000020. Internal error code 0x00000006. The SAFException is caused by a failure to build a SAF ACEE (via native service IRRSIA00 / initACEE) for the unauthenticated user. One scenario where this can happen is if: (a) the SAF APPL class is activated, and (b) the unauthenticated user is not permitted to authenticate to the APPL Regardless of the unauthenticated user's permissions, the failure to create an ACEE for the unauthenticated user should not cause the user login to fail.
Problem conclusion
The code was updated to catch and suppress the IllegalArgumentException / SAFException caused by the failure to create an ACEE for the unauthenticated user. This allows the user login to proceed normally. It is a valid Liberty configuration for the unauthenticated user to not be permitted to create an ACEE for itself. The fix for this APAR is currently targeted for inclusion in fix pack 16.0.0.2. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
One scenario where this can happen is if: (a) the SAF APPL class is activated, and (b) the unauthenticated user is not permitted to authenticate to the APPL To workaround, you can either: (a) deactivate the SAF APPL class, or (b) grant the unauthenticated user permission to authenticate to the APPL In order to be authenticated to the APPL, the unauthenticated user must be granted READ permission to the "<profilePrefix>" profile in the APPL class. The <profilePrefix> is configured in Liberty via <safCredentials profilePrefix="xx" />. The default is "BBGZDFLT". The unauthenticated user is configured via <safCredentials unauthenticatedUser="xx">. The default is "WSGUEST".
Comments
APAR Information
APAR number
PI56919
Reported component name
LIBERTY PROF -
Reported component ID
5655W6514
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-02-09
Closed date
2016-02-25
Last modified date
2016-06-13
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
LIBERTY PROF -
Fixed component ID
5655W6514
Applicable component levels
R850 PSY
UP
Document Information
Modified date:
03 May 2022