Fixes are available
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for AIX
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for IBM i
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for Windows
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for HP-UX
7.0.0.5: Java SDK 1.6 SR5 Cumulative Fix for WebSphere Application Server
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for Solaris
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for Linux
Java SDK 1.5 SR10 Cumulative Fix for WebSphere Application Server
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for IBM i
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for AIX
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for Windows
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for HP-UX
7.0.0.7: Java SDK 1.6 SR6 Cumulative Fix for WebSphere Application Server
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for Solaris
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for Linux
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for IBM i
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for Windows
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for AIX
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for HP-UX
7.0.0.9: Java SDK 1.6 SR7 Cumulative Fix for WebSphere Application Server
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for Solaris
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for Linux
6.1.0.31: Java SDK 1.5 SR11 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for IBM i
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Windows
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for HP-UX
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for AIX
7.0.0.11: Java SDK 1.6 SR7 Cumulative Fix for WebSphere Application Server
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Solaris
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Linux
6.1.0.33: Java SDK 1.5 SR12 FP1 Cumulative Fix for WebSphere
6.1.0.29: Java SDK 1.5 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for AIX
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for HP-UX
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for IBM i
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Linux
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Solaris
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Windows
7.0.0.13: Java SDK 1.6 SR8FP1 Cumulative Fix for WebSphere Application Server
6.1.0.35: Java SDK 1.5 SR12 FP2 Cumulative Fix for WebSphere
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for AIX
7.0.0.15: Java SDK 1.6 SR9 Cumulative Fix for WebSphere Application Server
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for HP-UX
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for IBM i
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Linux
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Solaris
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Windows
6.1.0.37: Java SDK 1.5 SR12 FP3 Cumulative Fix for WebSphere
7.0.0.17: WebSphere Application Server V7.0 Fix Pack 17
7.0.0.17: Java SDK 1.6 SR9 FP1 Cumulative Fix for WebSphere Application Server
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
7.0.0.19: WebSphere Application Server V7.0 Fix Pack 19
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
7.0.0.21: WebSphere Application Server V7.0 Fix Pack 21
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
7.0.0.23: WebSphere Application Server V7.0 Fix Pack 23
7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server
7.0.0.19: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.21: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere
7.0.0.23: Java SDK 1.6 SR10 FP1 Cumulative Fix for WebSphere
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
Obtain the fix for this APAR.
APAR status
Closed as program error.
Error description
The customer sets com.ibm.security.SAF.Authz.Log.Option=DEFAULT. The customer attempts to access the adminconsole with a user id that does not have access to any of the adminconsole EJBROLE profiles. The infocenter indicates that when com.ibm.security.SAF. Authz.Log.Option=ASIS or is not set, there will be one ICH408I message for each EJBROLE the user has no permission to. The infocenter indicates that When com.ibm.security.SAF.Authz.Log.Option=DEFAULT, the user is supposed to receive one ICH408I error indicating that the user does not have access to any of the EJBROLEs in the set being checked. This is to reduce the number of ICH408I messages generated by these EJBROLE checks, but still provide an audit that an unauthorized user attempted to perform protected adminconsole operations. - Currently, if com.ibm.security.SAF.Authz.Log.Option=DEFAULT, then no ICH408I messages are issued when an unauthorized user id attempts protected adminconsole operations.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V6.1.0 for z/OS that use System * * Authorization Facility (SAF) with the * * DEFAULT audit record strategy. * **************************************************************** * PROBLEM DESCRIPTION: SAF error messages are not logged * * for an unauthorized administrative * * console user for the DEFAULT audit * * record strategy. * **************************************************************** * RECOMMENDATION: * **************************************************************** SAF error messages for role-check violations are intentionally suppressed for the administrative console to reduce the number of logged messages.
Problem conclusion
The code was corrected to log these messages when new security custom property com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress.Admin is explicitly set to false. The default value for this property is true. APAR PK72451 requires changes to documentation. NOTE: Periodically, we refresh the documentation on our Web site, so the changes might have been made before you read this text. To access the latest on-line documentation, go to the product library page at: http://www.ibm.com/software/webservers/appserv/library The following Change to the WebSphere Application Server Version 6.1.x Information Center will be made available in March, 2009. The description of the Suppress RACF EJBRole audit messages functionality that is contained in the topic "z/OS System Authorization Facility authorization" will be updated to read as follows: Suppress RACF EJBRole audit messages Specifies whether ICH408I messages are on or off. System Management Facility (SMF) records access violations no matter what value is specified for this new property. This property affects the generation of access violation messages for both application-defined roles and for application server run-time-defined roles for the naming and administrative subsystems. EJBROLE profile checks are done for both declarative and programmatic checks: Declarative checks are coded as security constraints in Web applications and deployment descriptors are coded as security constraints in Enterprise JavaBeans (EJB) files. This property is not used to control messages in this case. Instead, a set of roles is permitted, and if an access violation occurs, an ICH408I access violation message indicates a failure for one of the roles. SMF then logs a single access violation for that role. Program logic checks or access checks are performed using the programmatic isCallerinRole(x) method for enterprise beans or isUserInRole(x) method for Web applications. If the SMF audit record strategy property is set to ASIS, NOFAIL, or NONE, the com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress property controls the messages that are generated by this call. Message suppression is always enabled for administrative roles if the SMF audit record strategy property is set to Default. For more information on SAF authorization, see "Controlling access to console users when using a Local OS registry" in the information center. For more information on administrative roles, see "Administrative roles" in the information center. Avoid Trouble: 1. If you you are running on Version 6.1.0.22 or later, and do not want administrative role messages suppressed when the SMF audit record strategy is set to Default, set the com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress.Admin property to false. The value specified for this property overrides any other setting that governs message suppression for administrative roles. 2. When a third-party authorization such as Tivoli Access Manager or SAF for z/OS is used, the information in the administrative console panel might not represent the data in the provider. Also, any changes to the panel might not be reflected in the provider automatically. Follow the provider's instructions to propagate any changes made to the provider. Default: Disabled, which does not suppress messages. APAR P72451 is currently targeted for inclusion in Service Level (Fix Pack) 6.1.0.22 of WebSphere Application Server V6.1 for z/OS. Please refer to URL: //www.ibm.com/support/docview.wss?rs=404&uid=swg27006970 for Fix Pack availability.
Temporary fix
Comments
APAR Information
APAR number
PK72451
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
610
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / CST
Submitted date
2008-09-18
Closed date
2008-12-09
Last modified date
2009-02-09
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PK72465 UK42556
Fix information
Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500
Applicable component levels
R610 PSY UK42556
UP09/01/16 P F901
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
Document Information
Modified date:
28 December 2021