JR54206: BACKGROUND THREADS IN INFORMATION SERVER INSTALLATIONS WITH WEBSPHERE CLUSTER USE THE WRONG SECURITY DOMAIN

APAR status

• Closed as program error.

Error description

• USERS AFFECTED:
  InfoSphere Information Server 11.3 and 11.5 installations in a
  WebSphere cluster configuration.
  
  
  PROBLEM DESCRIPTION:
  For InfoSphere Information Server 11.3 & 11.5, the installation
  configures a separate security domain for the InfoSphere
  Information Server applications.  However, the security domain
  during the applications initialization is set to the global
  security administrator domain.  The background scheduler
  threads are created during the initialization phase and they
  inherit the global security administrator domain and that
  setting does not get changed after initialization.  As a
  consequence, if a background task needs to validate that the
  user who submitted the task has the proper roles, that user is
  checked against the global registry and if it is not configured
  to be the same as the IBM_Information_Server_sd security
  domain, the user may not be found.  If this happens, you will
  see errors like this in the WebSphere application server
  profile's SystemOut.log like this:
  
  [5/6/15 12:24:00:330 EDT] 000000b4 ASBHelper     E   Failed to
  login to execute task for schedule
  [d70c6594.80cb2b5c.323kon42a.vf9sgpq.flj5a9.kkbagc5g9mrs52cv66nh
  k], execution ID is
  [mysystem1001Node01_dev/myprofile-d70c6594.80cb2b5c.323kon42a.vf
  9sgpq.flj5a9.kkbagc5g9mrs52cv66nhk-a59b8c6a-e83f-4e2f-a004-61b5f
  c0c6421], execution date is [05/06/15 12:24:00:2 PM], scheduled
  execution date is [05/06/15 12:24:00:0 PM], service name is
  [EventHandlerTaskExecutionService]: User [myuser] is not found
  in the repository
  
  
  Another symptom of this problem is when the background task
  fails and in the SystemOut.log file you find errors like this:
  
  [8/21/15 10:34:01:217 EDT] 000000bd WASJ2EEDirect W
  com.ibm.iis.isf.j2ee.impl.was.security.WASJ2EEDirectoryImpl
  getVmmUsers NOT RE-THROWN
  
  java.security.PrivilegedActionException:
  com.ibm.websphere.wim.exception.WIMException
  
  where you see in the stack trace:
  
  Caused by: java.lang.NullPointerException
      at
  org.eclipse.emf.ecore.impl.EClassImpl.getFeatureID(EClassImpl.ja
  va:894)
  

Local fix

• This problem can be fixed by going into the WebSphere
  administration console:
  Click Security > Global security > Custom Properties and add
  the com.ibm.websphere.security.useAppContextForServletInit
  custom property and set it to true.
  
  Restart the entire cluster including the deployment manager and
  node agents.
  
  Note that this is a cell wide setting.  The long term fix will
  be a code change that will limit the setting to InfoSphere.
  
  Problem conclusion:
  
  Set the setting
  com.ibm.websphere.security.useAppContextForServletInit in the
  global security configuration or apply the APAR fix when it is
  available.
  

Problem summary

• ****************************************************************
  USERS AFFECTED:
  11.3 & 11.5 installations in a WebSphere cluster configuration
  ****************************************************************
  PROBLEM DESCRIPTION:
  For InfoSphere Information Server 11.3 & 11.5, the installation
  configures a separate security domain for the InfoSphere
  Information Server applications.  However, the security domain
  during the applications initialization is set to the global
  security administrator domain.  The background scheduler threads
  are created during the initialization phase and they inherit the
  global security administrator domain and that setting does not
  get changed after initialization.  As a consequence, if a
  background task needs to validate that the user who submitted
  the task has the proper roles, that user is checked against the
  global registry and if it is not configured to be the same as
  the IBM_Information_Server_sd security domain, the user may not
  be found.  If this happens, you will see errors like this in the
  WebSphere application server profile's SystemOut.log like this:
  
  [5/6/15 12:24:00:330 EDT] 000000b4 ASBHelper     E   Failed to
  login to execute task for schedule
  [d70c6594.80cb2b5c.323kon42a.vf9sgpq.flj5a9.kkbagc5g9mrs52cv66nh
  k], execution ID is
  [mysystem1001Node01_dev/myprofile-d70c6594.80cb2b5c.323kon42a.vf
  9sgpq.flj5a9.kkbagc5g9mrs52cv66nhk-a59b8c6a-e83f-4e2f-a004-61b5f
  c0c6421],
  execution date is [05/06/15 12:24:00:2 PM],
  scheduled execution date is [05/06/15 12:24:00:0 PM],
  service name is [EventHandlerTaskExecutionService]:
  User [myuser] is not found  in the repository
  
  Another symptom of this problem is when the background task
  fails and in the SystemOut.log file you find errors like this:
  [8/21/15 10:34:01:217 EDT] 000000bd WASJ2EEDirect W
  com.ibm.iis.isf.j2ee.impl.was.security.WASJ2EEDirectoryImpl
  getVmmUsers NOT RE-THROWN
  
  java.security.PrivilegedActionException:
  com.ibm.websphere.wim.exception.WIMException
  
  where you see in the stack trace:
  Caused by: java.lang.NullPointerException
      at
  org.eclipse.emf.ecore.impl.EClassImpl.getFeatureID(EClassImpl.ja
  va:894)
  ****************************************************************
  RECOMMENDATION:
  Change the WAS setting described in Local Fix or apply the fix
  included in ISF 11.3 rollup patch 3, or ISF 11.5 rollup patch 8,
  or Information Server 11.5 Service Pack 2.
  ****************************************************************
  

Problem conclusion

• Change code to limit the setting of useAppContextForServletInit
  to InfoSphere
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  WIS INFORM ANAL

• Fixed component ID

  5724Q36IA

Applicable component levels

• RB30 PSY

     UP

• RB31 PSY

     UP

• RB50 PSY

     UP