IBM Support

PM98011: ORG.OMG.CORBA.NO_PERMISSION ERROR WHEN EJB CALLS ARE MADE FROM ONE SERVER TO ANOTHER IN THE SAME SECURITY DOMAIN

Fixes are available

8.5.5.2: WebSphere Application Server V8.5.5 Fix Pack 2
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
8.5.5.3: WebSphere Application Server V8.5.5 Fix Pack 3
8.5.5.4: WebSphere Application Server V8.5.5 Fix Pack 4
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
8.5.5.5: WebSphere Application Server V8.5.5 Fix Pack 5
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When server A make an EJB call to server B which are both in the
    same cell and part of the same domain the following exception is
    seen,
    
    org.omg.CORBA.NO_PERMISSION: Authentication failed. Could not
    validate Client Authentication Token and/or Client Certificates
    during Identity Assertion  vmcid: 0x49424000  minor code: 30D
    completed: No
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server who use security domain              *
    *                  configuration                               *
    ****************************************************************
    * PROBLEM DESCRIPTION: When CosNamingRead is allowed to        *
    *                      EVERYONE, WebSphere still               *
    *                      performs                                *
    *                      naming authority check authenticating   *
    *                      the user first.                         *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When CosNamingRead is allowed to EVERYONE, WebSphere
    Application Server still performs a Naming authority check by
    authenticating the user first.
    In the following case, authentication fails before
    authorization check because the login is performed against
    global security.
    (1) The server that is receiving the request is
    configured with security domain.
    (2) The user credential that came with the request belongs to
    security domain only.
    Since CosNamingRead is allowed to EVERYONE, the
    application server should just skip the naming authority
    check.  Having unnecessary authentication causes the request
    to fail.
    Please refer to following document for the design about Naming
    check being performed against global security in security
    domain environment.
    http://pic.dhe.ibm.com/infocenter/wasinfo/v8r0/index.jsp?topic=%
    2Fcom.ibm.websphere.express.doc%2Finfo%2Fexp%2Fae%2Fcsec_sec_mul
    tiple_domains.html
    

Problem conclusion

  • Code has been updated to perform CosNamingRead configuration
    check first before proceeding with authentication using global
    security realm.  If CosNamingRead is set to EVERYONE, naming
    check will not be performed.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.0.0.9 and 8.5.5.2.  Please refer to the
    Recommended
    Updates
    page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM98011

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-09-27

  • Closed date

    2013-11-18

  • Last modified date

    2013-11-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R800 PSY

       UP

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 April 2022