PK72451: NO ICH408I MESSAGES ISSUED FOR EJBROLE CHECK FAILURES FOR ADMIN USERS WHEN COM.IBM.SECURITY.SAF.AUTHZ.LOG.OPTION=DEFAULT

Fixes are available

APAR status

Closed as program error.

Error description

The customer sets com.ibm.security.SAF.Authz.Log.Option=DEFAULT.
The customer attempts to access the adminconsole with a user id
that does not have access to any of the adminconsole EJBROLE
profiles. The infocenter indicates that when
com.ibm.security.SAF. Authz.Log.Option=ASIS or is not set, there
will be one ICH408I message for each EJBROLE the user has no
permission to.
The infocenter indicates that When
com.ibm.security.SAF.Authz.Log.Option=DEFAULT, the user is
supposed to receive one ICH408I error indicating that the user
does not have access to any of the EJBROLEs in the set being
checked. This is to reduce the number of ICH408I messages
generated by these EJBROLE checks, but still provide an audit
that an unauthorized user attempted to perform
protected adminconsole operations.
-
Currently, if com.ibm.security.SAF.Authz.Log.Option=DEFAULT,
then no ICH408I messages are issued when an unauthorized user id
attempts protected adminconsole operations.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  All users of WebSphere Application Server   *
*                  V6.1.0 for z/OS that use System             *
*                  Authorization Facility (SAF) with the       *
*                  DEFAULT audit record strategy.              *
****************************************************************
* PROBLEM DESCRIPTION: SAF error messages are not logged       *
*                      for an unauthorized administrative      *
*                      console user for the DEFAULT audit      *
*                      record strategy.                        *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
SAF error messages for role-check violations are intentionally
suppressed for the administrative console to reduce the number
of logged messages.

Problem conclusion

The code was corrected to log these messages when new security
custom property
com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress.Admin is
explicitly set to false.  The default value for this property is
true.

APAR PK72451 requires changes to documentation.

NOTE: Periodically, we refresh the documentation on our
Web site, so the changes might have been made before you
read this text. To access the latest on-line
documentation, go to the product library page at:

http://www.ibm.com/software/webservers/appserv/library

The following Change to the WebSphere Application
Server Version 6.1.x Information Center will be made
available in March, 2009.

The description of the Suppress RACF EJBRole audit
messages functionality that is contained in the topic
"z/OS System Authorization Facility authorization"
will be updated to read as follows:

Suppress RACF EJBRole audit messages

Specifies whether ICH408I messages are on or off.

System Management Facility (SMF) records access violations
no matter what value is specified for this new property.
This property affects the generation of access violation
messages for both application-defined roles and for
application server run-time-defined roles for the naming
and administrative subsystems. EJBROLE profile checks are
done for both declarative and programmatic checks:

Declarative checks are coded as security constraints in
Web applications and deployment descriptors are coded as
security constraints in Enterprise JavaBeans (EJB) files.
This property is not used to control messages in this
case. Instead, a set of roles is permitted, and if an
access violation occurs, an ICH408I access violation
message indicates a failure for one of the roles. SMF
then logs a single access violation for that role.

Program logic checks or access checks are performed using
the programmatic isCallerinRole(x) method for enterprise
beans or isUserInRole(x) method for Web applications. If
the SMF audit record strategy property is set to ASIS,
NOFAIL, or NONE, the
com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress
property controls the messages that are generated by this
call. Message suppression is always enabled for
administrative roles if the SMF audit record strategy
property is set to Default.

For more information on SAF authorization, see "Controlling
access to console users when using a Local OS registry" in the
information center. For more information on administrative
roles, see "Administrative roles" in the information center.

Avoid Trouble:

1. If you you are running on Version 6.1.0.22 or later, and
do not want administrative role messages suppressed when
the SMF audit record strategy is set to Default, set the
com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress.Admin
property to false. The value specified for this property
overrides any other setting that governs message suppression
for administrative roles.

2. When a third-party authorization such as Tivoli Access
Manager or SAF for z/OS is used, the information in the
administrative console panel might not represent the data in
the provider. Also, any changes to the panel might not be
reflected in the provider automatically. Follow the
provider's instructions to propagate any changes made to the
provider.

Default: Disabled, which does not suppress messages.

APAR P72451 is currently targeted for inclusion in Service
Level (Fix Pack) 6.1.0.22 of WebSphere Application Server V6.1
for z/OS.

Please refer to URL:
//www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
for Fix Pack availability.

Temporary fix

Comments

APAR Information

APAR number
PK72451
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
610
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / CST
Submitted date
2008-09-18
Closed date
2008-12-09
Last modified date
2009-02-09

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

PK72465 UK42556

Fix information

Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500

Applicable component levels

R610 PSY UK42556
UP09/01/16 P F901

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 December 2021

Tips

PK72451: NO ICH408I MESSAGES ISSUED FOR EJBROLE CHECK FAILURES FOR ADMIN USERS WHEN COM.IBM.SECURITY.SAF.AUTHZ.LOG.OPTION=DEFAULT

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R610 PSY UK42556

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

Document Information

Share your feedback

Need support?