IBM Support

PI45005: USE OF SAFRUNAS %%CLIENT%% CAN RESULT IN ICH408I MESSAGES TO BE ISSUED AGAINST THE HTTP SERVER USERID

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Customer is attempting to use SAFRunAs %%CLIENT%% to force
    requests to be issued under the userid used to log into the
    server.  In certain configurations, like if the Alias is used,
    the attempt will resulted in ICH408I errors issued against the
    HTTP Server UserId rather than the userid used to log into the
    server.
    
    Errorlog will show
    (111)EDC5111I Permission denied. (errno2=0xEF076015)
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Customers using IBM HTTP Server's           *
    *                  SAFRunAs directive with the %%CLIENT%%      *
    *                  argument.                                   *
    ****************************************************************
    * PROBLEM DESCRIPTION: A 403 is displayed when requesting a    *
    *                      resource inaccessible to the            *
    *                      webserver user, but accessible to the   *
    *                      saf user.                               *
    ****************************************************************
    * RECOMMENDATION:  Apply this fix if receving ICH408I errors   *
    *                  for                                         *
    *                  requests with SAFRunAs                      *
    ****************************************************************
    Some early directory access checking is done by IHS before the
    SAF user switch. That means if a directory is
    inaccessible by the user the webserver runs as, access will be
    denied before mod_authnz_saf ever gets a chance to switch to
    a user who might be able to access it. This can emit various
    errors in the access log - generally in the theme that access
    to a directory was denied.
    

Problem conclusion

  • This fix adds a directive, SAFRunAsEarly, which makes
    authnz_saf authenticate and switch users very early during
    request processing. Note that SAFRunAsEarly must be placed in
    a <location> block, and has no effect in <directory> blocks.
    
    This applies only to SAFRunAs %%CLIENT%%. Other methods are
    unchanged.
    
    This fix is targeted for IBM HTTP Server fix packs:
    - 7.0.0.41
    - 8.0.0.12
    - 8.5.5.8
    - 9.0.0.0-PI49954
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI45005

  • Reported component name

    WAS IHS ZOS

  • Reported component ID

    5655I3510

  • Reported release

    85P

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-07-15

  • Closed date

    2015-08-28

  • Last modified date

    2015-10-22

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WAS IHS ZOS

  • Fixed component ID

    5655I3510

Applicable component levels

  • R700 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"85P","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 April 2022