PH03768: ENTRYNOTFOUNDEXCEPTION SAFGRP IS NOT A VALID GROUP

APAR status

• Closed as program error.

Error description

• USERID login in Liberty for z/OS running with a SAF user
  registry experiences an FFDC entry with:
  
  FFDC1015I: An FFDC Incident has been created:
  "com.ibm.ws.security.registry.EntryNotFoundException: SAFGRP
  is
  not a valid group
  com.ibm.ws.security.wim.adapter.urbridge.utils.URBridgeEntit
  y:
  
  Where SAFGRP is a valid SAF group with an OMVS segment with
  unique GID, and USERID is a valid user in SAF with an OMVS
  segment with unique UID.
  
  Stack Dump =
  com.ibm.wsspi.security.wim.exception.WIMApplicationException
  :
  CWIML4505E: The user registry was unable to get the entity
  USERID due to an underlying error :
  com.ibm.wsspi.security.wim.exception.WIMApplicationException
  :
  com.ibm.ws.security.registry.EntryNotFoundException:
  SAFGRP is not a valid group
  com.ibm.ws.security.wim.adapter.urbridge.utils.URBridgePerso
  n.ge
  tGroupsForUser
  com.ibm.ws.security.wim.adapter.urbridge.URBridge.get
  com.ibm.ws.security.wim.ProfileManager.getImpl
  com.ibm.ws.security.wim.ProfileManager.genericProfileManager
  Meth
  od
  com.ibm.ws.security.wim.ProfileManager.get
  com.ibm.ws.security.wim.VMMService.get
  com.ibm.ws.security.wim.registry.util.MembershipBridge.getUn
  ique
  GroupIds
  com.ibm.ws.security.wim.registry.WIMUserRegistry.getUniqueGr
  oupI
  dsForUser
  com.ibm.ws.security.credentials.wscred.internal.WSCredential
  Prov
  ider.getUniqueGroupAccessIds
  com.ibm.ws.security.credentials.wscred.internal.WSCredential
  Prov
  ider.createUserWSCredential
  com.ibm.ws.security.credentials.wscred.internal.WSCredential
  Prov
  ider.setCredential
  com.ibm.ws.security.credentials.wscred.internal.WSCredential
  Prov
  ider.setCredential
  com.ibm.ws.security.credentials.internal.CredentialsServiceI
  mpl.
  setCredentials
  com.ibm.ws.security.authentication.internal.jaas.modules.Ser
  verC
  ommonLoginModule.setCredentials
  com.ibm.ws.security.authentication.jaas.modules.UsernameAndP
  assw
  ordLoginModule.setUpTemporarySubject
  com.ibm.ws.security.authentication.jaas.modules.UsernameAndP
  assw
  ordLoginModule.login
  com.ibm.ws.kernel.boot.security.LoginModuleProxy.login
  sun.reflect.NativeMethodAccessorImpl.invoke0
  sun.reflect.NativeMethodAccessorImpl.invoke
  sun.reflect.DelegatingMethodAccessorImpl.invoke
  java.lang.reflect.Method.invoke
  javax.security.auth.login.LoginContext.invoke
  javax.security.auth.login.LoginContext.access$000
  javax.security.auth.login.LoginContext$4.run
  javax.security.auth.login.LoginContext$4.run
  java.security.AccessController.doPrivileged
  javax.security.auth.login.LoginContext.invokePriv
  javax.security.auth.login.LoginContext.login
  ....
  
  Enabling the trace:
  *=info:com.ibm.ws.security.*=all:com.ibm.websphere.security.
  *=al
  l:zos.native.03=all
  
  shows:
  Trace:  t=ac2140 key=P8 (3002001)
  Description: isValidGroup return
  Function: ntv_isValidGroup
  egroup: SAFGRP
  isValid: 0
  rc: 2
  errno: 2
  errno2: c936006a
  
  with stacktrace:
  com.ibm.ws.security.registry.EntryNotFoundException
  <
  <init> Exit
  com.ibm.ws.security.registry.EntryNotFoundException: SAFGRP
  is
  not a valid group
  com.ibm.ws.security.registry.saf.internal.SAFRegistry.getUni
  queG
  roupId
  com.ibm.ws.security.registry.saf.internal.SAFDelegatingUserR
  egis
  try.getUniqueGroupId
  com.ibm.ws.security.wim.adapter.urbridge.URBridge.getUniqueG
  roup
  Id
  com.ibm.ws.security.wim.adapter.urbridge.utils.URBridgeGroup
  .get
  UniqueIdForEntity
  com.ibm.ws.security.wim.adapter.urbridge.utils.URBridgeEntit
  y.ge
  tUniqueId
  com.ibm.ws.security.wim.adapter.urbridge.utils.URBridgeEntit
  y.se
  tIdentifierProperties
  com.ibm.ws.security.wim.adapter.urbridge.utils.URBridgeEntit
  y.po
  pulateEntity
  com.ibm.ws.security.wim.adapter.urbridge.utils.URBridgePerso
  n.ge
  tGroupsForUser
  ....
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED:  All users of IBM WebSphere Application      *
  *                  Server Liberty for z/OS and WebSphere       *
  *                  Optimized Local Adapters                    *
  ****************************************************************
  * PROBLEM DESCRIPTION: SAF group validation fails even though  *
  *                      all indications are that the group      *
  *                      should be considered valid              *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  The group validation is done with the getgrnam_r function. This
  function is passed a buffer in which the group contents are
  stored. If this buffer is not large enough the getgrnam_r
  function fails which in turn causes the group validation to
  fail.
  

Problem conclusion

• Function was added to retry the getgrnam_r function with the
  buffer size doubled 3 times before failing. Tracing was added to
  indicate the buffer size used on the last execution of the
  getgrnam_r function.
  
  The fix for this APAR is currently targeted for inclusion in fix
  pack 18.0.0.4.  Please refer to the Recommended Updates page for
  delivery information:
  http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  LIBERTY PROF -

• Fixed component ID

  5655W6514

Applicable component levels

• RCD0 PSY

     UP