PK76360: SERVER'S SECURITY SETTING 'CSIV2 INBOUND TRANSPORT' SET TO "SSL-REQUIRED" RESULTS IN CORBA::UNKNOWN EXCEPTION

Fixes are available

APAR status

Closed as program error.

Error description

During interoperability testing with enterprise bean lookup
from WebSphere Application Server v6.1 to WebSphere
Application Server v6.1, having 'CSIv2 inbound transport' set
to "SSL-required", the IIOP port is being set to 0 in the
calling server.

Joblog (JESYSMSG) shows SSL-required set:
BBOM0001I com_ibm_CSI_claimTransportAssocSSLTLSRequired: 1.
BBOM0001I com_ibm_CSI_claimTransportAssocSSLTLSSupported: 0.

The IIOP URL of
"corbaloc:iiop:1.2@<server_group.net>:0/NameServiceServerRoot",
with port=0.  The Naming code then attempts to resolve this URL
and fails because the port is 0.

This results in CORBA::UNKNOWN exception.

===== Sample test case analysis ======
In the Servant Region, the last printout by the application
shows:
WAS Initial Context created now looking up
cell/clusters/<cluster_name>/ejb/InteropEJBHome

Then the exception gets thrown in the Servant Region:
Trace: 2008/11/11 13:53:51.408 01 t=9B8870 c=UNK key=P8
(13007002)
ThreadId: 00000021
FunctionName: com.ibm.ws.naming.util.Helpers
SourceId: com.ibm.ws.naming.util.Helpers
Category: WARNING
ExtendedMessage: BBOO0221W: NMSV0610I: A NamingException is
being thrown from a javax.naming.Context implementation. Details
follow

Backtracking in the Control Region from 13:53:51.408, can see
the error is with the thread that processed the exception:
Trace: 2008/11/11 13:53:50.629 01 t=9B5AD0 c=UNK key=S2
(0404800A)
Description: ORBEJSBridge - sending back System Exception
Method Name: ORBEJSBridge::invoke(void *)
Rep Id: IDL:omg.org/CORBA/UNKNOWN:1.0
Class Name: CORBA::UNKNOWN
Minor Code: -910010465
Completion Status: 1

Local fix

The server side's security setting for CSIv2 inbound transport
should be set to SSL-supported instead of SSL-required:

From Admin Console, navigate to:
1. Click Security > Secure administration, applications, and
infrastructure.
2. Under Authentication, click RMI/IIOP security > CSIv2 inbound
transport
3. Set Transport to SSL-Supported

Please remember to Save / Synchronize and recycle the server.

-----------------------------------------------------------

Changing just this CSIv2 inbound transport may generate
a different error -  CORBA.NO_PERMISSION.
To fix this, change the RMI/IIOP outbound CSIv2 Outbound
Authentication settings (either at this cell level, or
over-ride for this server) to
Client certificate authentication set to Supported.
.
* If you are doing this at a cell level:
Admin Console > Security > Secure administration,
applications, and infrastructure > RMI/IIOP security > CSIv2
outbound authentication >
Client certificate authentication set to Supported.
.
Please remember to Save / Synchronize and recycle the server.
.
* If you are doing this at a server level:
Admin Console > Servers > Application servers > WFS001C > Server
security >
Enable: "RMI/IIOP security for this server overrides the cell
settings "
> CSIv2 outbound authentication > Client certificate
authentication set to Supported
.
Please remember to Save / Synchronize and recycle the server.

Problem summary

****************************************************************
* USERS AFFECTED:  All users of WebSphere Application Server   *
*                  V6.1.0 for z/OS                             *
****************************************************************
* PROBLEM DESCRIPTION: Federated bindings created by the       *
*                      name server to link to other servers    *
*                      cannot resolve when running with SSL.   *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The name server builds federated bindings in the name space
which resolve to other servers.  This allows lookups on
objects in servers other than the one which the JNDI client is
bootstrapped to.  These bindings are created with URLs
starting with corbaloc:dyn:.  Those URLs cannot be resolve
when the system is configured to use SSL.  To fix the problem,
we switched to corbaloc:iiop: URLs, same as those used on
distributed platforms.  With out the fix, names of the form
cell/nodes/<node name>/servers/<server name>/<rest of name> or
cell/clusters/<cluster name>/<rest of name> do not resolve
successfully.  DumpNameSpace output includes the federated
binding URLs.

Problem conclusion

The name server now uses corbaloc:iiop: URLs instead of
corbaloc:dyn: URLs.  URLs of this form work in all situations.

APAR PK76360 is currently targeted for inclusion in
Service Level (Fix Pack) 6.1.0.25 of WebSphere
Application Server V6.1 for z/OS.

Please refer to URL:
//www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
for Fix Pack availability.

Temporary fix

Comments

APAR Information

APAR number
PK76360
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
610
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2008-11-24
Closed date
2009-01-22
Last modified date
2009-07-01

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

PK82693

Fix information

Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500

Applicable component levels

R610 PSY UK47214
UP09/06/22 P F906

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
29 December 2021

Tips

PK76360: SERVER'S SECURITY SETTING 'CSIV2 INBOUND TRANSPORT' SET TO "SSL-REQUIRED" RESULTS IN CORBA::UNKNOWN EXCEPTION

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R610 PSY UK47214

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

Document Information

Share your feedback

Need support?