Topic
8 replies Latest Post - ‏2011-04-29T04:23:35Z by SystemAdmin
SystemAdmin
SystemAdmin
462 Posts
ACCEPTED ANSWER

Pinned topic SECJ6237E in deployment manager.

‏2011-04-26T14:13:36Z |
Hello!
I have reconfigured our Test cell with the beta drop 3 code on z/OS.
When the Deployment Manager starts for the first time I see
this message in the sysout:
BBOO0220E: SECJ6237E: Authorization failed. The SAF user WIKBGST does not have READ access to any of the following SAF profiles in the EJBROLE class: ÝWASIKBC.administrator, WASIKBC.adminsecuritymanager, WASIKBC.auditor, WASIKBC.configurator, WASIKBC.deployer, WASIKBC.monitor, WASIKBC.operator.

My question is, the user account WIKBGST has never before needed access to those roles, and I wonder if it is correct that it needs them now?

I also see this message when I start the Node Agent for the first time.
BBOO0220E: SECJ6237E: Authorization failed. The SAF user WIKBCTL does not have READ access to any of the following SAF profiles in the EJBROLE class: ÝWASIKBC.adminsecuritymanager

The same applies to this as above, WIKBCTL has never before needed access to the role WASIKBC.adminsecuritymanager and I wonder if it is correct that it needs it now?

Kind regards
Katarina
Updated on 2011-04-29T04:23:35Z at 2011-04-29T04:23:35Z by SystemAdmin
  • kark
    kark
    18 Posts
    ACCEPTED ANSWER

    Re: SECJ6237E in deployment manager.

    ‏2011-04-26T23:34:36Z  in response to SystemAdmin
    Hi,

    Do you see the first message when you start the deployment manager or when you login into the admin console? Is WIKBGST the WSGUEST id? If so, it should not be typically given any access to the admin roles. We will look into this more (could not reproduce this in our initial attempts) and provide updates. As far as you can tell do you see anything failing because of this error message?

    How are you starting the node agent? Using the adminConsole? Unless you are doing any actions related to fine grain administration (starting the node agent isn't one) you need not give access to the adminsecuritymanager role. We think this message is a side-effect of one of the changes that went in and once we confirm that will fix the code not to issue the message. Please confirm if you are seeing any issues because of this message.

    Can you provide the security trace (com.ibm.ws.security.*=all:com.ibm.ws.security.policy.*=off) when you see these messages?

    --Ajay
    • SystemAdmin
      SystemAdmin
      462 Posts
      ACCEPTED ANSWER

      Re: SECJ6237E in deployment manager.

      ‏2011-04-27T07:52:54Z  in response to kark
      Hi!

      The first message occurs when I start the deployment manager. WIKBGST is indeed the WSGUEST user id and as you state should not be given any access to the admin roles.
      I see this message when this happens "java.lang.Exception: <WAS_INSTALL_ROOT>/features directory does not exist or is" , I think it is correlated to the security message but are not sure.
      The node agent is started via system automation and we do nothing special at startup. I don't see any issues regarding the security message in the node agent.

      I will restart both the deployment manager and the node agent with the trace options you provided on. Do you want me to attach the files in this forum?
      • SystemAdmin
        SystemAdmin
        462 Posts
        ACCEPTED ANSWER

        Re: SECJ6237E in deployment manager.

        ‏2011-04-27T14:20:28Z  in response to SystemAdmin
        Hi, Katarina,
        I work with Ajay on the Security development team. In addition to the trace Ajay mentioned, please also gather native security trace. To enable this trace from startup, you can create the following WAS environment variable for your deployment manager:
        ras_trace_detail=e

        Please attach the traces to the forum.

        Thanks,
        Elisa
    • SystemAdmin
      SystemAdmin
      462 Posts
      ACCEPTED ANSWER

      Re: SECJ6237E in deployment manager.

      ‏2011-04-28T07:05:23Z  in response to kark
      Hi!

      Here is the trace from the Deployment Manager. Since the sysout was quite big I've cut it a bit, hope it's enough. Hope you will be able to read it.

      Kind regards
      Katarina
      • SystemAdmin
        SystemAdmin
        462 Posts
        ACCEPTED ANSWER

        Re: SECJ6237E in deployment manager.

        ‏2011-04-28T15:56:52Z  in response to SystemAdmin
        Thanks, this is very useful. The java.lang.Exception error you pointed out about the <WAS_INSTALL_ROOT>/features is definitely related to the SECJ6237E error message for your guest id. I am investigating more why this is occurring, as I'm not able to recreate on my system.

        Elisa
      • SystemAdmin
        SystemAdmin
        462 Posts
        ACCEPTED ANSWER

        Re: SECJ6237E in deployment manager.

        ‏2011-04-28T19:50:41Z  in response to SystemAdmin
        Katarina,
        This is a known defect, and we are working on a fix. The SECJ6237E followed by the java.lang.Exeption for the <WAS_INSTALL_ROOT>/feature should only affect being able to access the help panels in the administrative console. You should not see any functional issues, other than not being able to access the help panels. As a workaround, you can bypass the admintrative console help, and directly reference the v8 Beta Information Center here:

        http://publib.boulder.ibm.com/infocenter/wasinfo/beta/index.jsp

        Thanks,
        Elisa
      • SystemAdmin
        SystemAdmin
        462 Posts
        ACCEPTED ANSWER

        Re: SECJ6237E in deployment manager.

        ‏2011-04-28T19:50:42Z  in response to SystemAdmin
        Katarina,
        This is a known defect, and we are working on a fix. The SECJ6237E followed by the java.lang.Exeption for the <WAS_INSTALL_ROOT>/feature should only affect being able to access the help panels in the administrative console. You should not see any functional issues, other than not being able to access the help panels. As a workaround, you can bypass the admintrative console help, and directly reference the v8 Beta Information Center here:

        http://publib.boulder.ibm.com/infocenter/wasinfo/beta/index.jsp

        Thanks,
        Elisa
        • SystemAdmin
          SystemAdmin
          462 Posts
          ACCEPTED ANSWER

          Re: SECJ6237E in deployment manager.

          ‏2011-04-29T04:23:35Z  in response to SystemAdmin
          Hi!

          Great, good to know it's a known issue and does not really affect anything really important. Thank you for your help and quick respons.

          Kind regards
          Katarina