PM02361: SERVANT REGION DOES NOT USE DOMAIN-SPECIFIC SAF PROFILE PREFIX. THE DEFAULT VALUE FROM SECURITY.XML IS USED INSTEAD.

Fixes are available

APAR status

Closed as program error.

Error description

When running an Appserver with application security enabled,
custom LDAP registry and authorization provider "built-in",
WebSphere doesn't honor the SecurityDomain prefix when checking
APPL profile against RACF, instead it uses the plain CBS390
APPL profile.

The error occurs in the servant region.

The customer created a normal z/OS ND cell with two nodes and
the default setting for security, which means that global
security is set, SAF is used, but no TAI's or application
security and NO guest user connected to the plain CBS390-profile
in the APPL-class.

Instead the guest user and guest group is connected to the
SECURITYDOMAIN-profile in the APPL-class, where SECURITYDOMAIN
is the value set WCT as "SAF profile prefix". Appservers
created in  this ND-cell can without any problem lookup JNDI
stuff (e.g. JDBC Datasources).

If the customer then creates a new SecurityDomain in the admin
console and maps it to a servercluster, applications in that
server cluster cannot lookup datasources unless they add the
guest user/group to the CBS390-profile in the APPL-class, which
is a global profile for the entire sysplex.

It should either use the profile as above or there should be
some place in the security domain where you could point out a
new SAF profile prefix , that is specific for the new security
domain.

The application causing trouble is a unsecured application
which doesn't require any authentication, which should be
perfectly possible  to run in a environment where one has turned
on application security.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server V7.0                                 *
****************************************************************
* PROBLEM DESCRIPTION: When running an Appserver with          *
*                      application security enabled,           *
*                      custom LDAP registry and                *
*                      authorization provider "built-in",      *
*                      WebSphere doesn't honor the             *
*                      SecurityDomain prefix when checking     *
*                      APPL profile against RACF, instead it   *
*                      uses the plain CBS390                   *
*                      APPL profile.                           *
*                                                              *
*                      The error occurs in the servant region. *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
WebSphere Application Server was not checking the global
domain for the presence of the security domain prefix in the
servant region.

Problem conclusion

WebSphere Application Server has been modified to correctly
query the global domain for the presence of the domain prefix.

APAR PM02361 is currently targeted for inclusion in Service
Level (Fix Pack) 7.0.0.11 of WebSphere Application Server V7.0

Please refer to URL:
//www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
for Fix Pack availability.

Temporary fix

Comments

APAR Information

APAR number
PM02361
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-11-30
Closed date
2010-02-15
Last modified date
2010-07-02

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500

Applicable component levels

R700 PSY UK57722
UP10/06/17 P F006

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
24 October 2021

Tips

PM02361: SERVANT REGION DOES NOT USE DOMAIN-SPECIFIC SAF PROFILE PREFIX. THE DEFAULT VALUE FROM SECURITY.XML IS USED INSTEAD.

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R700 PSY UK57722

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

Document Information

Share your feedback

Need support?