PK79602: APPLICATION CODE RUNNING IN A SERVANT REGION CANNOT ACCESS AN APPLICATION CUSTOM MBEAN WITH SECURITY ENABLED

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• Application code running in a servant region cannot access an
  application custom MBean in that same server when security is
  enabled unless the application is running under an identity
  with Monitor access.
  .
  This works for WebSphere Application Server on Distributed
  6.0.2 platforms because the application server is all in one
  process.  On WebSphere Application Server for z/OS with the
  Controller Region (CR) / Servant Region (SR) split, there
  are security checks when calling from the CR where there is
  a dynamic proxy of the custom mbean to the SR where the actual
  mbean resides.
  .
  The failure seen may be similar to:
  .
  Trace: 2008/06/27 12:25:36.755 01 t=8CF4F8 c=12.2 key=P8
     Description: Log Boss/390 Error
     from filename: ./bborjtr.cpp
     at line: 932
     error message: BBOO0220E: SRVE0026E: Servlet Error
                                                 - HelloServlet:
  java.lang.reflect.UndeclaredThrowableException: ADMN0022E:
   Access is denied for the getVersionsForAllProducts operation
   on Server MBean because of insufficient or empty credentials.
  at com.ibm.ws.management.AdminServiceImpl$1.run
                                    (AdminServiceImpl.java:1087)
  at com.ibm.ws.security.util.AccessController.doPrivileged
                          (AccessController.java(Compiled Code))
  at com.ibm.ws.management.AdminServiceImpl.invoke
                                     (AdminServiceImpl.java:932)
  ...
   Caused by: javax.management.JMRuntimeException: ADMN0022E:
   Access is denied for the getVersionsForAllProducts operation
   on Server MBean because of insufficient or empty credentials.
  at com.ibm.ws.management.AdminServiceImpl.preInvoke
                          (AdminServiceImpl.java(Compiled Code))
  ...
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of WebSphere Application Server    *
  *                 V7.0 for z/OS with application custom MBean. *
  ****************************************************************
  * PROBLEM DESCRIPTION: User with valid role sometime is        *
  *                      unable to access application created    *
  *                      custom MBean.                           *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  java.lang.reflect.UndeclaredThrowableException: ADMN0022E:
  Access is denied for the <operation name> operation on <mbean
  name> MBean because of insufficient or empty credentials.
  at com.ibm.ws.management.AdminServiceImpl$1.run
  (AdminServiceImpl.java:1087)
  at com.ibm.ws.security.util.AccessController.doPrivileged
  (AccessController.java(Compiled Code))
  at com.ibm.ws.management.AdminServiceImpl.invoke
  (AdminServiceImpl.java:932)
  

Problem conclusion

• Changed admin authorization code to allow valid user to access
  application custom MBean.
  
  APAR PK79602 is currently targeted for inclusion in Service
  Level (Fix Pack) 7.0.0.5 of WebSphere Application Server V7.0
  for z/OS.
  
  Please refer to URL:
  //www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
  for Fix Pack availability.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

  PK78683

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  WEBSPHERE FOR Z

• Fixed component ID

  5655I3500

Applicable component levels

• R700 PSY UK48200

     UP09/07/27 P F907

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.