IBM Support

PI78326: WEBSPHERE SUB-DOMAIN SERVERS WITH SPNEGO WEB AUTHENTICATION GETTING ERROR SECJ6236E

Fixes are available

9.0.0.5: WebSphere Application Server traditional V9.0 Fix Pack 5
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
WebSphere Application Server traditional 9.0.5.6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
9.0.5.9: WebSphere Application Server traditional Version 9.0.5.9
9.0.5.10: WebSphere Application Server traditional Version 9.0.5.10
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
9.0.5.11: WebSphere Application Server traditional Version 9.0.5.11

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • A server with SPNEGO TAI in domain XYZ is reconfigured to use
    SPNEGO Web Authentication and use a subdomain of ABC/XYZ.
    During server startup, several SECJ6236E messages appear in the
    servant region job log:
    SECJ6236E: Authorization failed; the exception is The SAF user
               SERVER1 does not have CONTROL access to the SAF
               profile CB.BIND.null,class CBIND..
    Also, the following message appear multiple times in the
    servant region SYSPRINT:
    Trace:2016/06/11 11:01:33.633 02 t=7B8E00 c=0.14 key=P8
            tag=(0401B03A)
      Description: ORB Trace Entry
      Method Name: ClassNameFromTypeId(char *)
      input type id: IDL:omg.org/CORBA/NO_PERMISSION:1.0
    Trace: 2016/06/11 11:01:33.633 02 t=7B8E00 c=0.14 key=P8
             tag=(0401B03F)
      Description: ORB Trace Exit
      Method Name: ClassNameFromTypeId(char *)
      output class name: CORBA::NO_PERMISSION
    Trace: 2016/06/11 11:01:33.633 02 t=7B8E00 c=0.14 key=P8
             tag=(0407900A)
      Description: demarshalJavaSystemException
      Method Name:
      ZIOPChannelBridge::demarshalJavaSystemException(EncapIIOP *)
      Repository Id: IDL:omg.org/CORBA/NO_PERMISSION:1.0
      Class Name: CORBA::NO_PERMISSION
      Minor Code: 4942430d
      Completion Status: 1
    It appears as though the servant never completely starts.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server V8.0, V8.5, abd V9.0                 *
    ****************************************************************
    * PROBLEM DESCRIPTION: Spnego authentication with SAF user     *
    *                      registry fails with the security        *
    *                      domain                                  *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When the application server is running under the security
    domain environment, Spnego authentication might fail due to a
    failure of invoking SAF user registry. The cause of the issue
    is that the security code does not set the server short name
    which is required for invoking SAF user registry.
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    PI78326

  • Reported component name

    WEBSPHERE FOR Z

  • Reported component ID

    5655I3500

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-03-16

  • Closed date

    2017-05-18

  • Last modified date

    2017-05-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE FOR Z

  • Fixed component ID

    5655I3500

Applicable component levels

  • R800 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"800","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
04 May 2022