Fixes are available
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
APAR status
Closed as program error.
Error description
Customer is attempting to use SAFRunAs %%CLIENT%% to force requests to be issued under the userid used to log into the server. In certain configurations, like if the Alias is used, the attempt will resulted in ICH408I errors issued against the HTTP Server UserId rather than the userid used to log into the server. Errorlog will show (111)EDC5111I Permission denied. (errno2=0xEF076015)
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: Customers using IBM HTTP Server's * * SAFRunAs directive with the %%CLIENT%% * * argument. * **************************************************************** * PROBLEM DESCRIPTION: A 403 is displayed when requesting a * * resource inaccessible to the * * webserver user, but accessible to the * * saf user. * **************************************************************** * RECOMMENDATION: Apply this fix if receving ICH408I errors * * for * * requests with SAFRunAs * **************************************************************** Some early directory access checking is done by IHS before the SAF user switch. That means if a directory is inaccessible by the user the webserver runs as, access will be denied before mod_authnz_saf ever gets a chance to switch to a user who might be able to access it. This can emit various errors in the access log - generally in the theme that access to a directory was denied.
Problem conclusion
This fix adds a directive, SAFRunAsEarly, which makes authnz_saf authenticate and switch users very early during request processing. Note that SAFRunAsEarly must be placed in a <location> block, and has no effect in <directory> blocks. This applies only to SAFRunAs %%CLIENT%%. Other methods are unchanged. This fix is targeted for IBM HTTP Server fix packs: - 7.0.0.41 - 8.0.0.12 - 8.5.5.8 - 9.0.0.0-PI49954
Temporary fix
Comments
APAR Information
APAR number
PI45005
Reported component name
WAS IHS ZOS
Reported component ID
5655I3510
Reported release
85P
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-07-15
Closed date
2015-08-28
Last modified date
2015-10-22
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WAS IHS ZOS
Fixed component ID
5655I3510
Applicable component levels
R700 PSY
UP
Document Information
Modified date:
28 April 2022