PM16362: ATTEMPT TO WRITE MORE DATA TO AN SMF RECORD THAN THE LIMIT OF 20480 BYTES RESULTING IN SECJ6022E ERROR

Fixes are available

APAR status

Closed as program error.

Error description

Deploymentmanager CR experiences SECJ6022E when they enabled
security SMF records

Trace: 2009/11/20 15:08:02.637 01 t=7A8CF0 c=UNK key=S2
(13007002)
  ThreadId: 0000001c
  FunctionName: com.ibm.ws.security.audit.AuditServiceImpl
  SourceId: com.ibm.ws.security.audit.AuditServiceImpl
  Category: SEVERE
  ExtendedMessage: BBOO0220E: SECJ6022E: AuditServiceProvider
malfunction when security auditing is required, Provider
Exception =
om.ibm.websphere.security.ProviderFailureException: SAF RC=8,
RACF
RC=12, RACF Reason=24
com.ibm.ws.security.audit.zOS.SMFEmitterImpl.sendEvent(SMFEmitte
com.ibm.ws.security.audit.AuditServiceImpl.sendEvent(AuditServic
com.ibm.ws.security.audit.AuditEventFactoryImpl.sendEvent(AuditE
com.ibm.ws.security.audit.AuditServiceImpl.sendEvent(AuditServic
com.ibm.websphere.management.authorizer.SecurityAuditingHelper.l
  curityAuditForMBean(SecurityAuditingHelper.java:292)
com.ibm.ws.management.AdminServiceImpl.preInvoke(AdminServiceImp
com.ibm.ws.management.AdminServiceImpl.access$400(AdminServiceIm
com.ibm.ws.management.AdminServiceImpl$1.run(AdminServiceImpl.ja
com.ibm.ws.security.util.AccessController.doPrivileged(AccessCon
com.ibm.ws.management.AdminServiceImpl.invoke(AdminServiceImpl.j
com.ibm.ws.management.connector.AdminServiceDelegator.invoke(Adm
  rviceDelegator.java:181)
.at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
.at java.lang.reflect.Method.invoke(Method.java:600)
com.ibm.ws.management.connector.soap.SOAPConnector.invoke(SOAPCo
com.ibm.ws.management.connector.soap.SOAPConnector.service(SOAPC
com.ibm.ws.management.connector.soap.SOAPConnection.handleReques
com.ibm.ws.http.HttpConnection.readAndHandleRequest(HttpConnecti
.at com.ibm.ws.http.HttpConnection.run(HttpConnection.java:522)
.at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1550)

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  Users of IBM WebSphere Application Server   *
*                  V7.0 who are using SMF auditing.            *
****************************************************************
* PROBLEM DESCRIPTION: Audit record exceeds the SMF            *
*                      relocation threshhold size of 20480,    *
*                      causing the record not to be written.   *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
SMF has a threshhold size limit of 20480 for any relocates
added.  If an audit record exceeds that size, there will be a
failure to write the record to SMF and an exception will be
generated:
  ExtendedMessage: BBOO0220E: SECJ6022E: AuditServiceProvider
   malfunction when security auditing is required, Provider
Exception = c
   om.ibm.websphere.security.ProviderFailureException: SAF
RC=8, RACF
   RC=12, RACF Reason=24

Problem conclusion

A custom property is introduced,
com.ibm.audit.field.length.limit, which will allow users to
define their maximum size for any variable length audit field
in the audit record.  This will only apply if the SMF
threshhold limit of 20480 is exceeded.  By default, the
truncation will occur at 128 bytes for any variable-length
audit field, unless another value is specified via the custom
property.  The maximum length that can be specified via the
custom property is 512 bytes, to ensure that the the SMF audit
record will always be recorded.  Valid ranges for this custom
property range from 1 to 512.

APAR PM16362 requires changes to documentation.

NOTE: Periodically, we refresh the documentation on our
Web site, so the changes might have been made before you
read this text. To access the latest on-line
documentation, go to the product library page at:

http://www.ibm.com/software/webservers/appserv/library

The following Change to the WebSphere Application
Server Version 7.0 Information Center
will be made available in October 2010.

The topic Security custom properties will be updated to
include the following description of the new
com.ibm.audit.field.length.limit custom property:

com.ibm.audit.field.length.limit

This property only applies to the SMF Emitter
implementation that IBM provides for the Security Auditing
feature. You can use this property to specify, in bytes,
the length at which variable-length audit data is
truncated. By default, if this custom property is not
specified, and the threshold limit of 20480 is exceeded,
variable-length audit data fields are truncated to 128
bytes.

Avoid Trouble: You must use the modifyAuditEmitter command
for the AdminTask object to enable this custom problem. See
the topic AuditEmitterCommands for the AdminTask object for
a description of how to use this command.

The SMF relocation data has a threshold size limit of 20480
bytes. If the audit data exceeds this limit, the audit data
is truncated to prevent the loss of audit records.

Default  20480
Type          An integer between 1 and 512

APAR PM16362 is currently targeted for inclusion in Service
Level (Fix Pack) 7.0.0.13 of WebSphere Application Server V7.0.

Please refer to URL:
//www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
for Fix Pack availability.

Temporary fix

Comments

APAR Information

APAR number
PM16362
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-06-11
Closed date
2010-07-28
Last modified date
2010-11-03

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500

Applicable component levels

R700 PSY UK61114
UP10/10/21 P F010

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
25 October 2021

Tips

PM16362: ATTEMPT TO WRITE MORE DATA TO AN SMF RECORD THAN THE LIMIT OF 20480 BYTES RESULTING IN SECJ6022E ERROR

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R700 PSY UK61114

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

Document Information

Share your feedback

Need support?