IBM Support

PI66183: When MFA is configured, SAFRunAs fails with a permission error

Fixes are available

9.0.0.1: WebSphere Application Server traditional V9.0 Fix Pack 1
9.0.0.2: WebSphere Application Server traditional V9.0 Fix Pack 2
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
9.0.0.3: WebSphere Application Server traditional V9.0 Fix Pack 3
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
9.0.0.4: WebSphere Application Server traditional V9.0 Fix Pack 4
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
9.0.0.5: WebSphere Application Server traditional V9.0 Fix Pack 5
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
WebSphere Application Server traditional 9.0.5.6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
9.0.5.9: WebSphere Application Server traditional Version 9.0.5.9
9.0.5.10: WebSphere Application Server traditional Version 9.0.5.10
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
9.0.5.11: WebSphere Application Server traditional Version 9.0.5.11

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • MFA issues
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Users of IBM HTTP Server with Multi Factor  *
    *                  Authentication (MFA) for z/OS.              *
    ****************************************************************
    * PROBLEM DESCRIPTION: When MFA is configured, SAFRunAs fails  *
    *                      with a permission error.                *
    ****************************************************************
    * RECOMMENDATION:  Apply this fix if using MFA + IHS           *
    *                  directive                                   *
    *                  "SAFRunAs"                                  *
    ****************************************************************
    When using SAFRunAs under MFA, mod_authnz_saf cannot switch
    userid for users logged in using MFA.
    

Problem conclusion

  • IHS was updated to pass a NULL password to
    pthread_security_np() AND to use _DAEMON_SECURITY_ENV
    when MFA has authenticated the user.
    
    IHS must have UPDATE access to BPX.DAEMON resource class to
    allow SAFRunAs to succeed.
    
    
    The fix for this issue is planned for IHS fixpacks:
     - 9.0.0.1
     - 8.5.5.11
    
    (MFA does not support older IHS releases)
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI66183

  • Reported component name

    WAS IHS ZOS

  • Reported component ID

    5655I3510

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-07-20

  • Closed date

    2016-08-24

  • Last modified date

    2020-05-13

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WAS IHS ZOS

  • Fixed component ID

    5655I3510

Applicable component levels

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
04 May 2022