IBM Support

PM89476: RESTRICTING ROLES TO COS NAMING READ OPERATION WILL CAUSE THE OTIS SYSTEM APPLICATION TO GENERATE FFDC ENTRIES OR ERRORS

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Restricting roles to COS ( Common Object Service ) Naming
    Read operation will cause the OTiS system application to
    generate entries in FFDC log files as well as an
    org.omg.CORBA.NO_PERMISSION error
    in the WebSphere System Error log file.
    
    SystemOut.log file contents follow:
    
    
    [4/26/12 8:34:56:652 EDT] 0000002b RoleBasedAuth A   SECJ0305I:
    The role-based authorization check failed for naming-authz
    operation NameServer:resolve_complete_info
    The user UNAUTHENTICATED (unique ID: unauthenticated) was not
    granted any of the following required roles: CosNamingWrite,
    CosNamingRead, CosNamingDelete, CosNamingCreate.
    
    SystemErr.log file contents follow:
    
    [4/26/12 8:59:58:796 EDT] 0000002b SystemErr     R javax.naming.
    NoPermissionException: NO_PERMISSION exception caught: Not
    authorized to perform resolve_complete_inf
    o operation. [Root exception is org.omg.CORBA.NO_PERMISSION: Not
    authorized to perform resolve_complete_info operation.  vmcid:
    0x0 minor code: 0  completed: No]
            at com.ibm.ws.naming.jndicos.CNContextImpl.doLookup
    (CNContextImpl.java:1844)
            at com.ibm.ws.naming.jndicos.CNContextImpl.doLookup
    (CNContextImpl.java:1776)
            at com.ibm.ws.naming.jndicos.CNContextImpl.lookupExt
    (CNContextImpl.java:1433)
            at
    com.ibm.ws.naming.jndicos.CNContextImpl.lookup(CNContextImpl
    java:615)
            at
    com.ibm.ws.naming.util.WsnInitCtx.lookup(WsnInitCtx.java:165
            at
    com.ibm.ws.naming.util.WsnInitCtx.lookup(WsnInitCtx.java:179
            at
    org.apache.aries.jndi.DelegateContext.lookup(DelegateContext
    java:161)
            at
    javax.naming.InitialContext.lookup(InitialContext.java:392)
            at com.ibm.otis.common.database.DataSourceConnection.
    initDataSource(DataSourceConnection.java:76)
            at
    com.ibm.otis.common.database.DataSourceConnection.<init>
    (DataSourceConnection.java:53)
            at
    com.ibm.otis.common.database.JDBCManager.initConnectionSourc
    (JDBCManager.java:123)
            at
    com.ibm.otis.common.database.JDBCManager.<init>(JDBCManager.
    java:107)
            at
    com.ibm.otis.common.database.JDBCManager.<init>(JDBCManager.
    java:95)
            at
    com.ibm.otis.common.database.DatabaseAccess.getJDBCManager
    (DatabaseAccess.java:974)
            at com.ibm.otis.common.database.DatabaseAccess.
    setTransactionIsolation(DatabaseAccess.java:167)
            at
    com.ibm.otis.events.EventManager$PollProcessing.process
    (EventManager.java:470)
            at com.ibm.otis.events.EventManager$PollProcessing.run
    (EventManager.java:169)
            at java.lang.Thread.run(Thread.java:662)
    Caused by: org.omg.CORBA.NO_PERMISSION: Not authorized to
    perform resolve_complete_info operation.  vmcid: 0x0  minor
    code: 0 completed: No
            at com.ibm.ws.naming.cosbase.WsnOptimizedNamingImplBase.
    performAuthorizationCheck(WsnOptimizedNamingImplBase.java:4942)
            at com.ibm.ws.naming.cosbase.WsnOptimizedNamingImplBase.
    resolve_complete_info(WsnOptimizedNamingImplBase.java:2289)
            at com.ibm.WsnOptimizedNaming._NamingContextStub.
    resolve_complete_info(_NamingContextStub.java:538)
            at
    com.ibm.ws.naming.jndicos.CNContextImpl$2.run(CNContextImpl.
    java:2957)
            at
    com.ibm.ws.naming.jndicos.CNContextImpl$2.run(CNContextImpl.
    java:2953)
            at
    com.ibm.ws.naming.util.CommonHelpers.retry(CommonHelpers.
    java:801)
            at com.ibm.ws.naming.jndicos.CNContextImpl.cosResolve
    (CNContextImpl.java:2951)
            at com.ibm.ws.naming.jndicos.CNContextImpl.doLookup
    (CNContextImpl.java:1817)
            ... 17 more
    ___
    

Local fix

  • No work-around
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server who restrict read access to the      *
    *                  CORBA CosNaming name service using role     *
    *                  based authorization.                        *
    ****************************************************************
    * PROBLEM DESCRIPTION: The error org.omg.CORBA.NO_PERMISSION   *
    *                      occurs in deployment manager or         *
    *                      job manager logs on calls made by the   *
    *                      OTiS application.                       *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    The OTiS application is a system application shipped on the
    deployment manager and job manager. OTiS accesses the name
    service on startup. If the user applies role restrictions on
    the CORBA CosNaming name service, OTiS may issue
    org.omg.CORBA.NO_PERMISSION messages as it fails to access the
    name service.
    

Problem conclusion

  • The OTiS system application was modified to allow it to access
    the name service.
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 8.0.0.8 and 8.5.5.1.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM89476

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-05-21

  • Closed date

    2013-07-10

  • Last modified date

    2013-07-10

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R800 PSY

       UP

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
11 January 2022