IBM Support

PI46937: Security identity not propagated from batchManagerZos to batch exectuor in multi-server environment causes JobSecurityException

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The security identity of the user who invokes
    batchManagerZos is supposed to be used as the RunAs identity
    for he batch job running in the Liberty server.  In a
    multi-server batch environment, the batchManagerZos identity
    fails to get propagated over JMS from the batch dispatcher
    to the batch exectuor, where the job ultimately runs.
    Instead, the unauthenticated user is propagated, and the
    batch job runs under the unauthenticated user.  This may
    result in a JobSecurityException.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server Liberty Profile for z/OS             *
    ****************************************************************
    * PROBLEM DESCRIPTION: Security identity not propagated from   *
    *                      batchManagerZos to batch exectuor in    *
    *                      multi-server environment causes         *
    *                      JobSecurityException                    *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    The security identity of the user who invokes batchManagerZos is
    supposed to be used as the RunAs identity for the batch job
    running in the Liberty server.  In a multi-server batch
    environment, the batchManagerZos identity fails to be propagated
    over JMS from the batch dispatcher to the batch exectuor where
    the job ultimately runs.  Instead, the unauthenticated user is
    propagated, and the batch job runs under the unauthenticated
    user.  This may result in a JobSecurityException.
    

Problem conclusion

  • The RunAs Subject for the batchManagerZos client identity was
    updated to contain the appropriate credentials so that the
    identity can be propagated over JMS.
    
    The fix for this APAR is currently targeted for inclusion in fix
    pack 8.5.5.8.  Please refer to the Recommended Updates page for
    delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI46937

  • Reported component name

    LIBERTY PROF -

  • Reported component ID

    5655W6514

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-08-14

  • Closed date

    2015-08-25

  • Last modified date

    2015-08-25

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    LIBERTY PROF -

  • Fixed component ID

    5655W6514

Applicable component levels

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
25 August 2015