Fixes are available
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR10 Cumulative Fix for WebSphere Application Server
6.1.0.31: Java SDK 1.5 SR11 FP1 Cumulative Fix for WebSphere Application Server
6.1.0.33: Java SDK 1.5 SR12 FP1 Cumulative Fix for WebSphere
6.1.0.29: Java SDK 1.5 SR11 Cumulative Fix for WebSphere Application Server
6.1.0.35: Java SDK 1.5 SR12 FP2 Cumulative Fix for WebSphere
6.1.0.37: Java SDK 1.5 SR12 FP3 Cumulative Fix for WebSphere
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server
Obtain the fix for this APAR.
APAR status
Closed as program error.
Error description
WebSphere Application Server, Deployment Manager control region sometimes takes the following security exception when the Node Agent which is shutting down sends a 'StatusCache:placeReport' mbean management call to the DMGR without security credentials. Exception in Deployment Manager control region.... Trace: 2007/03/05 16:06:41.653 01 t=9C1CF0 c=UNK key=S2 (13007002) ThreadId: 00000039 FunctionName: com.ibm.ws.security.role.RoleBasedAuthorizerImpl SourceId: com.ibm.ws.security.role.RoleBasedAuthorizerImpl Category: AUDIT ExtendedMessage: BBOO0222I: SECJ0305I: The role-based authorization check failed for admin-authz operation StatusCache:placeReport :com.ibm.ws.management.status. StatusReport. The user UNAUTHENTICATED unique ID: UNAUTHENTICATED) was not granted any of the following required roles: administrator, operator. This happens when the Node Agent is sending the mbean (statusCache) request to the DMGR, too late in the process of his shutdown. At the time when the Nodeagent sends this request, Security service of the Node Agent is already STOPPED and the Node agent process itself is in a 'STOPPED' state, which explains the empty credentials on the mbean request to the DMGR. You will see the following error in the Node agent for the failing mbean request. Trace: 2007/03/05 16:06:42.312 01 t=9C4828 c=UNK key=S2 (13007002) ThreadId: 00000028 FunctionName: handleAdminFault SourceId: com.ibm.ws.management.connector.soap.SOAPConnectorClient Category: FINER ExtendedMessage: Exit; javax.management.JMRuntimeException: ADMN0022E: Access is denied for the placeReport operation on StatusCache MBean because of insufficient or empty credentials. BBOO0220E: SECJ0306E: No received or invocation credential exist on the thread. The Role based authorization check will not have an accessId of the caller to check. The parameters are: access check method placeReport:com.ibm.ws.management. status.StatusReport on resource StatusCache and module StatusCache. The stack trace is java.lang.Exception: Invocation and received credentials are both null at com.ibm.ws.security.role.RoleBasedAuthorizerImpl.checkAccess(Ro com.ibm.ws.management.AdminServiceImpl.preInvoke(AdminServiceIm com.ibm.ws.management.AdminServiceImpl.access$400(AdminServiceI com.ibm.ws.management.AdminServiceImpl$1.run(AdminServiceImpl.j com.ibm.ws.security.util.AccessController.doPrivileged(AccessCo com.ibm.ws.management.AdminServiceImpl.invoke(AdminServiceImpl. com.ibm.ws.management.connector.AdminServiceDelegator.invoke(Ad ve Method)sun.reflect.NativeMethodAccessorImpl.invoke(NativeMet lect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess com.ibm.ws.management.connector.soap.SOAPConnector.invoke(SOAPC com.ibm.ws.management.connector.soap.SOAPConnector.service(SOAP com.ibm.ws.management.connector.soap.SOAPConnection.handleReque com.ibm.ws.http.HttpConnection.readAndHandleRequest(HttpConnect This error is intermittent.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of Websphere Application Server * * V6.1.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: The WebSphere Application Server for * * z/OS Deployment Manager controller * * sometimes takes a BBOO0222I: SECJ0305I * * security exception when the Node Agent * * is shutting down while sending a * * 'StatusCache:placeReport' mbean * * management call to the Deployment * * Manager without security credentials. * * * **************************************************************** * RECOMMENDATION: * * * **************************************************************** The WebSphere Application Server for z/OS Deployment Manager controller sometimes takes the following security exception when the Node Agent sends a 'StatusCache:placeReport' mbean management call to the Deployment Manager without security credentials while shutting down. Exception seen in the Deployme nt Manager controller: Trace: 2007/03/05 16:06:41.653 01 t=9C1CF0 c=UNK key=S2 (13007002) ThreadId: 00000039 FunctionName: com.ibm.ws.security.role.RoleBasedAuthorizerImpl SourceId: com.ibm.ws.security.role.RoleBasedAuthorizerImpl Category: AUDIT ExtendedMessage: BBOO0222I: SECJ0305I: The role-based authorization check failed for admin-authz operation StatusCache:placeReport :com.ibm.ws.management.status. StatusReport. The user UNAUTHENTICATED unique ID: (UNAUTHENTICATED) was not granted any of the following required roles: administrator, operator. This happens because the Node Agent is sending the mbean (statusCache) request to the Deployment Manager too late in the process of it's shutdown. At the time when the Nodeagent sends this request, the Node Agent's Security Service is already STOPPED and the Node Agent process itself is in a 'STOPPED' state, which results in the empty credentials on the mbean request to the Deployment Manager. Trace: 2007/03/05 16:06:41.515 01 t=9C4828 c=UNK key=S2 (13007002) ThreadId: 00000028 FunctionName: com.ibm.ws.management.status.NodeAgentStatusCache SourceId: com.ibm.ws.management.status.NodeAgentStatusCache Category: FINEST ExtendedMessage: Invoking placeReport: WebSphere:name=StatusCache,process=dmgr,platform=common, node=d1dmn,version=6.1.0.5,type=StatusCache, mbeanIdentifier=StatusCache,cell=d1cell,spec=1.0 And you will see the following error in the Node Agent for the failing mbean request: Trace: 2007/03/05 16:06:42.312 01 t=9C4828 c=UNK key=S2 (13007002) ThreadId: 00000028 FunctionName: handleAdminFault SourceId: com.ibm.ws.management.connector.soap.SOAPConnectorClient Category: FINER ExtendedMessage: Exit; javax.management.JMRuntimeException: ADMN0022E: Access is denied for the placeReport operation on StatusCache MBean because of insufficient or empty credentials. BBOO0220E: SECJ0306E: No received or invocation credential exist on the thread. The Role based authorization check will not have an accessId of the caller to check. The parameters are: access check method placeReport:com.ibm.ws.management. status.StatusReport on resource StatusCache and module StatusCache. The stack trace is java.lang.Exception: Invocation and received credentials are both null at com.ibm.ws.security.role.RoleBasedAuthorizerImpl.checkAccess... com.ibm.ws.management.AdminServiceImpl.preInvoke(...) com.ibm.ws.management.AdminServiceImpl.access$400(...) . . . This error is intermittent.
Problem conclusion
The code has been modified to properly handle the StatusCache:PlaceReport when the security service is shutting down. APAR PK43608 is currently targeted for inclusion in Service Level (Fix Pack) 6.1.0.15 of WebSphere Application Server V6.1 for z/OS.
Temporary fix
Comments
APAR Information
APAR number
PK43608
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
610
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / CST
Submitted date
2007-04-18
Closed date
2007-12-18
Last modified date
2008-04-09
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500
Applicable component levels
R610 PSY UK33923
UP08/03/13 P F803
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
28 December 2021