IBM Support

PM01212: ICH408I EDC5111I PERMISSION DENIED ERRNO2=0X5B400002 ON NODE.XML WHEN APPLICATION SYNC TO OS THREAD IS ENABLED

Fixes are available

7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for IBM i
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Windows
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for HP-UX
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for AIX
7.0.0.11: Java SDK 1.6 SR7 Cumulative Fix for WebSphere Application Server
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Solaris
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Linux
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for AIX
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for HP-UX
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for IBM i
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Linux
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Solaris
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Windows
7.0.0.13: Java SDK 1.6 SR8FP1 Cumulative Fix for WebSphere Application Server
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for AIX
7.0.0.15: Java SDK 1.6 SR9 Cumulative Fix for WebSphere Application Server
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for HP-UX
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for IBM i
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Linux
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Solaris
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Windows
7.0.0.17: WebSphere Application Server V7.0 Fix Pack 17
7.0.0.17: Java SDK 1.6 SR9 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.19: WebSphere Application Server V7.0 Fix Pack 19
7.0.0.21: WebSphere Application Server V7.0 Fix Pack 21
7.0.0.23: WebSphere Application Server V7.0 Fix Pack 23
7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
7.0.0.19: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.21: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere
7.0.0.23: Java SDK 1.6 SR10 FP1 Cumulative Fix for WebSphere
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When Application Sync To OS Thread is enabled WebSphere code
    in the PMI component may attempt to read certain configuration
    files (such as node.xml) using the Userid authenticated by the
    application. This may result permission errors, as shown below:
    
    ICH408I messages from RACF:
    
    Here is the security violation error (GOATU is the application
    userid):
    ------
    ICH408I USER(FUSED   ) GROUP(FUSE1G ) NAME(FUSE USER
    ) 759
       /WebSphere/wasv7/AppServer/profiles/def
       ault/config/cells/plex1/nodes/sy1/node.xml
       CL(DIRSRCH ) FID(01E2F1E2E8E2D30004050024B79F0000)
       INSUFFICIENT AUTHORITY TO LSTAT
       ACCESS INTENT(--X)  ACCESS ALLOWED(OTHER      ---)
       EFFECTIVE UID(0000090012)  EFFECTIVE GID(0009999934)
     ICH408I USER(FUSED   ) GROUP(FUSE1G ) NAME(FUSE USER
    ) 760
       /WebSphere/wasv7/AppServer/profiles/def
       ault/config/cells/plex1/nodes/sy1/node.xml
       CL(DIRSRCH ) FID(01E2F1E2E8E2D30004050024B79F0000)
       INSUFFICIENT AUTHORITY TO OPEN
       ACCESS INTENT(--X)  ACCESS ALLOWED(OTHER      ---)
       EFFECTIVE UID(0000090012)  EFFECTIVE GID(0009999934)
    ------
    
    Below is the stack trace. The call to read Node.xml originates
    from:
    com.ibm.ws.performance.tuning.serverAlert.calc.config.Repository
    Cache.returnCfgObject (RepositoryCache.java:1751)
    
    ------
    java.io.FileNotFoundException:
    /WebSphere/wasv7/AppServer/profiles/default/config
    /cells/plex1/nodes/sy1/node.xml
    (EDC5111I Permission denied. (errno2=0x5B400002))
          at java.io.FileInputStream.open(Native Method)
          at
    java.io.FileInputStream.<init>(FileInputStream.java:112)
          at
    java.io.FileInputStream.<init>(FileInputStream.java:72))
          at sun.net.www.protocol.file.FileURLConnection.connect
    (FileURLConnection.java:82)
          at
    sun.net.www.protocol.file.FileURLConnection.getInputStream
    (FileURLConnection.java:173)
          at
    org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unkno
    wn
    Source)
          at
    org.apache.xerces.impl.XMLVersionDetector.determineDocVersion
    (Unknown Source)
          at
    org.apache.xerces.parsers.XML11Configuration.parse(Unknown
    Source)
          at
    org.apache.xerces.parsers.XML11Configuration.parse(Unknown
    Source)
          at org.apache.xerces.parsers.XMLParser.parse(Unknown
    Source)
          at
    org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown
    Source))
          at
    org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown
    Source)
          at org.apache.xerces.jaxp.SAXParserImpl.parse(Unknown
    Source)
          at javax.xml.parsers.SAXParser.parse(Unknown Source)
          at com.ibm.ws.runtime.config.ConfigDocumentImpl.load
    (ConfigDocumentImpl.java:164)
          at com.ibm.ws.runtime.config.ConfigServiceImpl.getDocument
    (ConfigServiceImpl.java:182)
          at
    com.ibm.ws.runtime.config.ConfigServiceImpl.getDocumentObjects
    (ConfigServiceImpl.java:126)
          at
    com.ibm.ws.runtime.config.ConfigServiceImpl.getDocumentObjects
    (ConfigServiceImpl.java:120)
          at
    com.ibm.ws.performance.tuning.serverAlert.calc.config.Repository
    Cache.re
    turnCfgObject
    (RepositoryCache.java:1751)
          at
    com.ibm.ws.performance.tuning.serverAlert.calc.config.Repository
    Cache.ge
    tRCSNodeResource
    (RepositoryCache.java:1166)
    <== I think this code needs to be updated to sync the server
    identity
          at
    com.ibm.ws.performance.tuning.serverAlert.calc.config.Repository
    Cache.in
    itRCSNames
    (RepositoryCache.java:211)
          at
    com.ibm.ws.performance.tuning.serverAlert.calc.config.Repository
    Cache.in
    itRCS
    (RepositoryCache.java:163):
          at
    com.ibm.ws.performance.tuning.serverAlert.ServerRuleDriver.priva
    teComple
    teInit
    (ServerRuleDriver.java:1210)
          at
    com.ibm.ws.performance.tuning.serverAlert.ServerRuleDriverMBean.
    privateC
    ompleteInit
    (ServerRuleDriverMBean.java:191)
          at
    com.ibm.ws.performance.tuning.serverAlert.ServerRuleDriver$1$1.r
    un
    (ServerRuleDriver.java:1148)
          at com.ibm.ws.security.auth.ContextManagerImpl.runAs
    (ContextManagerImpl.java:4478)
          at com.ibm.ws.security.auth.ContextManagerImpl.runAsSystem
    (ContextManagerImpl.java:4566)
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server V7.0 for z/OS who have application   *
    *                  sync to OS thread enabled.                  *
    ****************************************************************
    * PROBLEM DESCRIPTION: syc2thead can result in permission      *
    *                      errors.                                 *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    In Websphere Application Server V7, when Sync2thread is
    enabled in the application,WebSphere accesses certain
    configuration files with the identity of  the current runAs
    user. If this one is not SERVER the request will fail.
    

Problem conclusion

  • OS ID to the thread is not getting called at all, so that's
    why the file access still uses GOATU. It should instead be
    using the server identity. Websphere Application Server
    performance tuning code is changed to call security code for
    sync'ing the correct id.
    
    APAR PM01212 is currently targeted for inclusion in Service
    Level (Fix Pack) 7.0.0.11 of WebSphere Application Server V7.0
    
    Please refer to URL:
    //www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
    for Fix Pack availability.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM01212

  • Reported component name

    WEBSPHERE FOR Z

  • Reported component ID

    5655I3500

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2009-11-13

  • Closed date

    2010-02-16

  • Last modified date

    2010-07-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE FOR Z

  • Fixed component ID

    5655I3500

Applicable component levels

  • R700 PSY UK57722

       UP10/06/17 P F006

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
24 October 2021