IBM Support

PI40885: The "SAFRunAs" directive implicitly requires access to the "OMVSAPPL" class in some RACF configurations

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • SAFRunAs can fail under some RACF configurations with the
    following message:
    
    (163)EDC5163I SAF/RACF extract error. (errno2=0x0BE80820): ... S
    authentication failure for "/URL": SAFRunAs failure on switching
    SAF UID from Authorization header using ...
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Users of IBM HTTP Server (powered           *
    *                  by Apache) on z/OS                          *
    ****************************************************************
    * PROBLEM DESCRIPTION: In some SAF configurations, the         *
    *                      SAFRunAs directive implicitly requires  *
    *                      access to the OMVSAPPL resource class.  *
    ****************************************************************
    * RECOMMENDATION:  Apply this fix if you want to use SAFRunAs  *
    *                  with users who do not have access to        *
    *                  the OMVSAPPL resource class.                *
    ****************************************************************
    IBM HTTP Server uses pthread_security_np() to change the
    effective userid on the request processing thread for a
    request configured with SAFRunAs. pthread_security_np() in
    some SAf configurations checks the OMVSAPPL class.
    

Problem conclusion

  • A new directive, SAFAPPLID, was added to override the default
    "OMVSAPPL" application ID (APPLID). For more information on SAF
    application IDs, consult the z/OS manual for
    pthread_security_applid_np().
    
    This fix will be included in IBM HTTP Server fixpacks:
     - 8.5.5.9
     - 8.0.0.12
    
    (This APAR was initially delivered in earlier fixpacks, but due
    a programming error the opt-in directive was not accepted)
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI40885

  • Reported component name

    WAS IHS ZOS

  • Reported component ID

    5655I3510

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-05-12

  • Closed date

    2015-05-26

  • Last modified date

    2016-09-20

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WAS IHS ZOS

  • Fixed component ID

    5655I3510

Applicable component levels

  • R800 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 April 2022