A fix is available
APAR status
Closed as program error.
Error description
The customer sets com.ibm.security.SAF.Authz.Log.Option=DEFAULT. The customer attempts to access the adminconsole with a user id that does not have access to any of the adminconsole EJBROLE profiles. The infocenter indicates that when com.ibm.security.SAF. Authz.Log.Option=ASIS or is not set, there will be one ICH408I message for each EJBROLE the user has no permission to. The infocenter indicates that When com.ibm.security.SAF.Authz.Log.Option=DEFAULT, the user is supposed to receive one ICH408I error indicating that the user does not have access to any of the EJBROLEs in the set being checked. This is to reduce the number of ICH408I messages generated by these EJBROLE checks, but still provide an audit that an unauthorized user attempted to perform protected adminconsole operations. - Currently, if com.ibm.security.SAF.Authz.Log.Option=DEFAULT, then no ICH408I messages are issued when an unauthorized user id attempts protected adminconsole operations.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V7.0 for z/OS that use System * * Authorization Facility (SAF) with the * * DEFAULT audit record strategy. * **************************************************************** * PROBLEM DESCRIPTION: SAF error messages are not logged * * for an unauthorized administrative * * console user for the DEFAULT audit * * record strategy. * **************************************************************** * RECOMMENDATION: * **************************************************************** SAF error messages for role-check violations are intentionally suppressed for the administrative console to reduce the number of logged messages.
Problem conclusion
The code was corrected to log these messages when new security custom property com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress.Admin is explicitly set to false. The default value for this property is true. APAR PK72465 requires changes to documentation. NOTE: Periodically, we refresh the documentation on our Web site, so the changes might have been made before you read this text. To access the latest on-line documentation, go to the product library page at: http://www.ibm.com/software/webservers/appserv/library The following Change to the WebSphere Application Server Version 7.0 Information Center will be made. The description of the Suppress RACF EJBRole audit messages functionality that is contained in the topic "z/OS System Authorization Facility authorization" will be updated to read as follows: Suppress RACF EJBRole audit messages Specifies whether ICH408I messages are on or off. System Management Facility (SMF) records access violations no matter what value is specified for this new property. This property affects the generation of access violation messages for both application-defined roles and for application server run-time-defined roles for the naming and administrative subsystems. EJBROLE profile checks are done for both declarative and programmatic checks: Declarative checks are coded as security constraints in Web applications and deployment descriptors are coded as security constraints in Enterprise JavaBeans (EJB) files. This property is not used to control messages in this case. Instead, a set of roles is permitted, and if an access violation occurs, an ICH408I access violation message indicates a failure for one of the roles. SMF then logs a single access violation for that role. Program logic checks or access checks are performed using the programmatic isCallerinRole(x) method for enterprise beans or isUserInRole(x) method for Web applications. If the SMF audit record strategy property is set to ASIS, NOFAIL, or NONE, the com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress property controls the messages that are generated by this call. Message suppression is always enabled for administrative roles if the SMF audit record strategy property is set to Default. For more information on SAF authorization, see "Controlling access to console users when using a Local OS registry" in the information center. For more information on administrative roles, see "Administrative roles" in the information center. Avoid Trouble: 1. If you you are running on Version 7.0.0.5, or later, and do not want administrative role messages suppressed when the SMF audit record strategy is set to Default, set the com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress.Admin property to false. The value specified for this property overrides any other setting that governs message suppression for administrative roles. 2. When a third-party authorization such as Tivoli Access Manager or SAF for z/OS is used, the information in the administrative console panel might not represent the data in the provider. Also, any changes to the panel might not be reflected in the provider automatically. Follow the provider's instructions to propagate any changes made to the provider. Default: Disabled, which does not suppress messages. APAR P72465 is currently targeted for inclusion in Service Level (Fix Pack) 7.0.0.5 of WebSphere Application Server V7.0 for z/OS. Please refer to URL: //www.ibm.com/support/docview.wss?rs=404&uid=swg27006970 for Fix Pack availability.
Temporary fix
Comments
APAR Information
APAR number
PK72465
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / CST
Submitted date
2008-09-19
Closed date
2009-01-13
Last modified date
2009-08-10
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500
Applicable component levels
R500 PSN
UP
R601 PSN
UP
R610 PSN
UP
R700 PSY UK48200
UP09/07/27 P F907
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
10 February 2022