PI45005: USE OF SAFRUNAS %%CLIENT%% CAN RESULT IN ICH408I MESSAGES TO BE ISSUED AGAINST THE HTTP SERVER USERID

Fixes are available

APAR status

Closed as program error.

Error description

Customer is attempting to use SAFRunAs %%CLIENT%% to force
requests to be issued under the userid used to log into the
server.  In certain configurations, like if the Alias is used,
the attempt will resulted in ICH408I errors issued against the
HTTP Server UserId rather than the userid used to log into the
server.

Errorlog will show
(111)EDC5111I Permission denied. (errno2=0xEF076015)

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  Customers using IBM HTTP Server's           *
*                  SAFRunAs directive with the %%CLIENT%%      *
*                  argument.                                   *
****************************************************************
* PROBLEM DESCRIPTION: A 403 is displayed when requesting a    *
*                      resource inaccessible to the            *
*                      webserver user, but accessible to the   *
*                      saf user.                               *
****************************************************************
* RECOMMENDATION:  Apply this fix if receving ICH408I errors   *
*                  for                                         *
*                  requests with SAFRunAs                      *
****************************************************************
Some early directory access checking is done by IHS before the
SAF user switch. That means if a directory is
inaccessible by the user the webserver runs as, access will be
denied before mod_authnz_saf ever gets a chance to switch to
a user who might be able to access it. This can emit various
errors in the access log - generally in the theme that access
to a directory was denied.

Problem conclusion

This fix adds a directive, SAFRunAsEarly, which makes
authnz_saf authenticate and switch users very early during
request processing. Note that SAFRunAsEarly must be placed in
a <location> block, and has no effect in <directory> blocks.

This applies only to SAFRunAs %%CLIENT%%. Other methods are
unchanged.

This fix is targeted for IBM HTTP Server fix packs:
- 7.0.0.41
- 8.0.0.12
- 8.5.5.8
- 9.0.0.0-PI49954

Temporary fix

Comments

APAR Information

APAR number
PI45005
Reported component name
WAS IHS ZOS
Reported component ID
5655I3510
Reported release
85P
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-07-15
Closed date
2015-08-28
Last modified date
2015-10-22

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WAS IHS ZOS
Fixed component ID
5655I3510

Applicable component levels

R700 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"85P","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 April 2022

Tips

PI45005: USE OF SAFRUNAS %%CLIENT%% CAN RESULT IN ICH408I MESSAGES TO BE ISSUED AGAINST THE HTTP SERVER USERID

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R700 PSY

Document Information

Share your feedback

Need support?