PK84247: AUTHENTICATION OF USERID CONNECTED TO A LARGE GROUP MAY RECEIVE:SECJ0347E COULD NOT GET THE NAME OF THE GROUP WHOSE UNIQUEID IS

Fixes are available

APAR status

Closed as program error.

Error description

When a user is being authenticated by WebSphere for z/OS, if the
default group of the user is large (has many userids connected
to it), then the incoming request to may fail with the following
error:

Trace: 2009/01/22 21:28:33.724 01 t=8BB748 c=UNK key=S2
(13007002)
  ThreadId: 00000059
  FunctionName: com.ibm.ws.security.registry.zOS.SAFRegistryImpl
  SourceId: com.ibm.ws.security.registry.zOS.SAFRegistryImpl
  Category: SEVERE
  ExtendedMessage: BBOO0220E: SECJ0347E: Could not get the name
of the group whose uniqueId is <group_name>.

<group_name> is the default group that the userid being
authenticated is connected to.

If tracedetail=E is enabled, an earlier trace entry will show
that the group could not be validated:

Trace: 2009/01/24 20:55:33.825 01 t=8BBE88 c=UNK key=S2
(0E025012)
  Description: bbosssur isValidGroup return
  isValid: 0

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server V6.0.1                               *
****************************************************************
* PROBLEM DESCRIPTION: When using SAF (System Authorization    *
*                      Facility) as the registry for           *
*                      WebSphere Application Server on z/OS,   *
*                      and groups sizes in the registry        *
*                      exceed approximately 675 members,       *
*                      users may see the  SECJ0347E message.   *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
WebSphere Application Server was not using a large enough
buffer to store the SAF result when groups were large.

Problem conclusion

WebSphere Application Server has been modified to handle large
groups via an environment variable, allow_large_SAF_groups,
which can be set at the administration console by navigating
to Environment - WebSphere Environment Variables - new, and
setting one of the following values:

1, which is triple the default buffer size, to 24576 from 8192
any value up to the max value of 2147483647

APAR PK84247 requires changes to documentation

NOTE: Periodically, we refresh the documentation on our
Web site, so the changes might have been made before you
read this text To access the latest on-line
documentation, go to the product library page at:

http://www.ibm.com/software/webservers/appserv/library

Changes to the WebSphere Application Server Version 6.0.2
Information Center will be made available in December, 2009.

The following description of the new application server
environment variable allow_large_SAF_groups
will be added to the topic "Application server custom
properties that are unique for the z/OS platform."

allow_large_SAF_groups

Specifies that you want to allow the application server to do
lookups on large SAF groups.

When this property is set to one, the size of the buffer that
is used to do lookups is tripled from 8192 bytes to 24576 bytes.
When this property is not set, the buffer size is 8192 bytes.
You can also set this property to a specific number of bytes
up to and including 2147483647. If you specify an integer other
than one as the value for this property, the buffer size
becomes
that number of bytes. For example, if you specify
allow_large_SAF_groups=21400000, the size of the buffer used to
do lookups on SAF groups is 21400000 bytes.

Data Type                                  Integer
Range                                      1 - 2147483647
Default                                    0

APAR PK84247 is currently targeted for inclusion in Service
Level (Fix Pack) 6.0.2.39 of WebSphere Application Server
V6.0.1.

Please refer to URL:
//www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
for Fix Pack availability.

Temporary fix

Comments

APAR Information

APAR number
PK84247
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
601
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-04-07
Closed date
2009-10-07
Last modified date
2010-01-05

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

PK96870 PK97690

Fix information

Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500

Applicable component levels

R601 PSY UK52448
UP09/12/12 P F912

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.1","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
29 December 2021

Tips

PK84247: AUTHENTICATION OF USERID CONNECTED TO A LARGE GROUP MAY RECEIVE:SECJ0347E COULD NOT GET THE NAME OF THE GROUP WHOSE UNIQUEID IS

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R601 PSY UK52448

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

Document Information

Share your feedback

Need support?