IBM Support

PK72465: NO ICH408I MESSAGES ISSUED FOR EJBROLE CHECK FAILURES FOR ADMIN USERS WHEN COM.IBM.SECURITY.SAF.AUTHZ.LOG.OPTION=DEFAULT

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The customer sets com.ibm.security.SAF.Authz.Log.Option=DEFAULT.
    The customer attempts to access the adminconsole with a user id
    that does not have access to any of the adminconsole EJBROLE
    profiles. The infocenter indicates that when
    com.ibm.security.SAF. Authz.Log.Option=ASIS or is not set, there
    will be one ICH408I message for each EJBROLE the user has no
    permission to.
    The infocenter indicates that When
    com.ibm.security.SAF.Authz.Log.Option=DEFAULT, the user is
    supposed to receive one ICH408I error indicating that the user
    does not have access to any of the EJBROLEs in the set being
    checked. This is to reduce the number of ICH408I messages
    generated by these EJBROLE checks, but still provide an audit
    that an unauthorized user attempted to perform
    protected adminconsole operations.
    -
    Currently, if com.ibm.security.SAF.Authz.Log.Option=DEFAULT,
    then no ICH408I messages are issued when an unauthorized user id
    attempts protected adminconsole operations.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All users of WebSphere Application Server    *
    *                 V7.0 for z/OS that use System                *
    *                 Authorization Facility (SAF) with the        *
    *                 DEFAULT audit record strategy.               *
    ****************************************************************
    * PROBLEM DESCRIPTION: SAF error messages are not logged       *
    *                      for an unauthorized administrative      *
    *                      console user for the DEFAULT audit      *
    *                      record strategy.                        *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    SAF error messages for role-check violations are intentionally
    suppressed for the administrative console to reduce the number
    of logged messages.
    

Problem conclusion

  • The code was corrected to log these messages when new security
    custom property
    com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress.Admin is
    explicitly set to false.  The default value for this property
    is true.
    
    
    APAR PK72465 requires changes to documentation.
    
    NOTE: Periodically, we refresh the documentation on our
    Web site, so the changes might have been made before you
    read this text. To access the latest on-line
    documentation, go to the product library page at:
    
    http://www.ibm.com/software/webservers/appserv/library
    
    The following Change to the WebSphere Application
    Server Version 7.0 Information Center will be made.
    
    The description of the Suppress RACF EJBRole audit
    messages functionality that is contained in the topic
    "z/OS System Authorization Facility authorization"
    will be updated to read as follows:
    
    Suppress RACF EJBRole audit messages
    
    Specifies whether ICH408I messages are on or off.
    
    System Management Facility (SMF) records access violations
    no matter what value is specified for this new property.
    This property affects the generation of access violation
    messages for both application-defined roles and for
    application server run-time-defined roles for the naming
    and administrative subsystems. EJBROLE profile checks are
    done for both declarative and programmatic checks:
    
    Declarative checks are coded as security constraints in
    Web applications and deployment descriptors are coded as
    security constraints in Enterprise JavaBeans (EJB) files.
    This property is not used to control messages in this
    case. Instead, a set of roles is permitted, and if an
    access violation occurs, an ICH408I access violation
    message indicates a failure for one of the roles. SMF
    then logs a single access violation for that role.
    
    Program logic checks or access checks are performed using
    the programmatic isCallerinRole(x) method for enterprise
    beans or isUserInRole(x) method for Web applications. If
    the SMF audit record strategy property is set to ASIS,
    NOFAIL, or NONE, the
    com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress
    property controls the messages that are generated by this
    call. Message suppression is always enabled for
    administrative roles if the SMF audit record strategy
    property is set to Default.
    
    For more information on SAF authorization, see "Controlling
    access to console users when using a Local OS registry" in the
    information center. For more information on administrative
    roles, see "Administrative roles" in the information center.
    
    Avoid Trouble:
    
    1. If you you are running on Version 7.0.0.5, or later, and
    do not want administrative role messages suppressed when
    the SMF audit record strategy is set to Default, set the
    com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress.Admin
    property to false. The value specified for this property
    overrides any other setting that governs message suppression
    for administrative roles.
    
    2. When a third-party authorization such as Tivoli Access
    Manager or SAF for z/OS is used, the information in the
    administrative console panel might not represent the data in
    the provider. Also, any changes to the panel might not be
    reflected in the provider automatically. Follow the
    provider's instructions to propagate any changes made to the
    provider.
    
    Default: Disabled, which does not suppress messages.
    
    APAR P72465 is currently targeted for inclusion in Service
    Level (Fix Pack) 7.0.0.5 of WebSphere Application Server V7.0
    for z/OS.
    
    Please refer to URL:
    //www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
    for Fix Pack availability.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PK72465

  • Reported component name

    WEBSPHERE FOR Z

  • Reported component ID

    5655I3500

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    YesSpecatt / CST

  • Submitted date

    2008-09-19

  • Closed date

    2009-01-13

  • Last modified date

    2009-08-10

  • APAR is sysrouted FROM one or more of the following:

    PK72451

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE FOR Z

  • Fixed component ID

    5655I3500

Applicable component levels

  • R500 PSN

       UP

  • R601 PSN

       UP

  • R610 PSN

       UP

  • R700 PSY UK48200

       UP09/07/27 P F907

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
10 February 2022