PI73345: DISTRIBUTED IDENTITY MAPPING NOT WORKING IN LIBERTY Z/OS

17.0.0.3: WebSphere Application Server Liberty 17.0.0.3
17.0.0.4: WebSphere Application Server Liberty 17.0.0.4
18.0.0.1: WebSphere Application Server Liberty 18.0.0.1
18.0.0.2: WebSphere Application Server Liberty 18.0.0.2
18.0.0.3: WebSphere Application Server Liberty 18.0.0.3
18.0.0.4: WebSphere Application Server Liberty 18.0.0.4
19.0.0.1: WebSphere Application Server Liberty 19.0.0.1
19.0.0.2: WebSphere Application Server Liberty 19.0.0.2
19.0.0.3: WebSphere Application Server Liberty 19.0.0.3
19.0.0.4: WebSphere Application Server Liberty 19.0.0.4
19.0.0.5: WebSphere Application Server Liberty 19.0.0.5
19.0.0.6: WebSphere Application Server Liberty 19.0.0.6
19.0.0.7: WebSphere Application Server Liberty 19.0.0.7
19.0.0.8: WebSphere Application Server Liberty 19.0.0.8
19.0.0.9: WebSphere Application Server Liberty 19.0.0.9
19.0.0.10: WebSphere Application Server Liberty 19.0.0.10
19.0.0.11: WebSphere Application Server Liberty 19.0.0.11
19.0.0.12: WebSphere Application Server Liberty 19.0.0.12
20.0.0.1: WebSphere Application Server Liberty 20.0.0.1
20.0.0.2: WebSphere Application Server Liberty 20.0.0.2
20.0.0.3: WebSphere Application Server Liberty 20.0.0.3
20.0.0.4: WebSphere Application Server Liberty 20.0.0.4
20.0.0.5: WebSphere Application Server Liberty 20.0.0.5
20.0.0.6: WebSphere Application Server Liberty 20.0.0.6
20.0.0.7: WebSphere Application Server Liberty 20.0.0.7
20.0.0.8: WebSphere Application Server Liberty 20.0.0.8
20.0.0.9: WebSphere Application Server Liberty 20.0.0.9
20.0.0.10: WebSphere Application Server Liberty 20.0.0.10
20.0.0.11: WebSphere Application Server Liberty 20.0.0.11
20.0.0.12: WebSphere Application Server Liberty 20.0.0.12
21.0.0.3: WebSphere Application Server Liberty 21.0.0.3
21.0.0.4: WebSphere Application Server Liberty 21.0.0.4
21.0.0.5: WebSphere Application Server Liberty 21.0.0.5
21.0.0.6: WebSphere Application Server Liberty 21.0.0.6
21.0.0.7: WebSphere Application Server Liberty 21.0.0.7
21.0.0.8: WebSphere Application Server Liberty 21.0.0.8
21.0.0.9: WebSphere Application Server Liberty 21.0.0.9
21.0.0.1: WebSphere Application Server Liberty 21.0.0.1
21.0.0.2: WebSphere Application Server Liberty 21.0.0.2
21.0.0.10: WebSphere Application Server Liberty 21.0.0.10
21.0.0.11: WebSphere Application Server Liberty 21.0.0.11
21.0.0.12: WebSphere Application Server Liberty 21.0.0.12
22.0.0.1: WebSphere Application Server Liberty 22.0.0.1
22.0.0.2: WebSphere Application Server Liberty 22.0.0.2
22.0.0.3: WebSphere Application Server Liberty 22.0.0.3
22.0.0.4: WebSphere Application Server Liberty 22.0.0.4

APAR status

• Closed as program error.

Error description

• RACMAP facility used to map distributed to SAF userid,
  
  WebSphere does not correctly  use the distributed do SAF
  mapping and throws exception
  "com.ibm.ws.security.saf.SAFException: CWWKS2907E:
  SAF Service IRRSIA00_CREATE does not succeed because user
  null
  has insufficient authority to access  application.    SAF
  return code 0x00000008. RACF return code 0x00000008. RACF
  reason code 0x00000020 .
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED:  All users of IBM WebSphere Application      *
  *                  Server Liberty for z/OS - Security          *
  ****************************************************************
  * PROBLEM DESCRIPTION: When configuring the safRegistry        *
  *                      element in the server.xml file the      *
  *                      realm attribute may be ignored.         *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  When utilizing the safRegistry element in the server.xml file to
  configure SAF authentication or authorization a realm name is
  required. If the realm element is not present, defaults in SAF
  will be utilized. Here is an example of the safRegistry
  element:
  <safRegistry id="saf" realm="myrealm" />
  
  Here is the description of the realm attribute on the
  safRegistry element as found in our Knowledge Center:
  The realm associated with the SAF registry. If you do not
  specify a realm, the default is the plex name (ECVTSPLX). If the
  server is authorized to use the SAFCRED resources, then the
  default realm is read from the SAF product by extracting the
  APPLDATA field in the SAFDFLT profile under the REALM class. If
  that field is empty, then the default realm is used.
  
  If the realm attribute is specified, it should take precedence
  and we should not default to either the plex name or the
  APPLDATA. The problem is that if you actually specify the plex
  name on the realm attribute, we may incorrectly set/default the
  realm to the value found in the APPLDATA, instead of the value
  provided on the realm attribute.  Any value set in the realm
  attribute should always override any default value found in
  SAF.
  

Problem conclusion

• Code has been changed to ensure the safRegisty realm attribute
  always takes precedence over default values found in SAF.
  
  The fix for this APAR is currently targeted for inclusion in fix
  pack 17.0.0.3.  Please refer to the Recommended Updates page for
  delivery information:
  http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  LIBERTY PROF -

• Fixed component ID

  5655W6514

Applicable component levels

• RCD0 PSY

     UP