IBM Support

PI88583: IN WEBSPHERE LIBERTY 17.0.0.X ,JAVA BATCH EXECUTOR FAILS WITH CWWKS0800E ERROR

Fixes are available

17.0.0.4: WebSphere Application Server Liberty 17.0.0.4
18.0.0.1: WebSphere Application Server Liberty 18.0.0.1
18.0.0.2: WebSphere Application Server Liberty 18.0.0.2
18.0.0.3: WebSphere Application Server Liberty 18.0.0.3
18.0.0.4: WebSphere Application Server Liberty 18.0.0.4
19.0.0.1: WebSphere Application Server Liberty 19.0.0.1
19.0.0.2: WebSphere Application Server Liberty 19.0.0.2
19.0.0.3: WebSphere Application Server Liberty 19.0.0.3
19.0.0.4: WebSphere Application Server Liberty 19.0.0.4
19.0.0.5: WebSphere Application Server Liberty 19.0.0.5
19.0.0.6: WebSphere Application Server Liberty 19.0.0.6
19.0.0.7: WebSphere Application Server Liberty 19.0.0.7
19.0.0.8: WebSphere Application Server Liberty 19.0.0.8
19.0.0.9: WebSphere Application Server Liberty 19.0.0.9
19.0.0.10: WebSphere Application Server Liberty 19.0.0.10
19.0.0.11: WebSphere Application Server Liberty 19.0.0.11
19.0.0.12: WebSphere Application Server Liberty 19.0.0.12
20.0.0.1: WebSphere Application Server Liberty 20.0.0.1
20.0.0.2: WebSphere Application Server Liberty 20.0.0.2
20.0.0.3: WebSphere Application Server Liberty 20.0.0.3
20.0.0.4: WebSphere Application Server Liberty 20.0.0.4
20.0.0.5: WebSphere Application Server Liberty 20.0.0.5
20.0.0.6: WebSphere Application Server Liberty 20.0.0.6
20.0.0.7: WebSphere Application Server Liberty 20.0.0.7
20.0.0.8: WebSphere Application Server Liberty 20.0.0.8
20.0.0.9: WebSphere Application Server Liberty 20.0.0.9
20.0.0.10: WebSphere Application Server Liberty 20.0.0.10
20.0.0.11: WebSphere Application Server Liberty 20.0.0.11
20.0.0.12: WebSphere Application Server Liberty 20.0.0.12

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • In WebSphere Application erver Liberty Core 17.0.0.2,java
    batch
    multi JVM setup,initiating a batch job via the batch
    dispatcher
    is successful.The dispatcher puts the request on the JMS
    queue
    for an executor but when the executor reads the message it
    is
    failing with the following exception:
    
    CWWKS0800E: An authentication error occurred while
    recreating
    the  subjects of the deserialized security context. The
    exception is: unable to find LoginModule class:
    com.ibm.ws.kernel.boot.security.LoginModuleProxy cannot be
    found by com.ibm.ws.jbatch.jms_1.0.17.
    cl170220170523-1818. As a result, the unauthenticated
    subject
    will be used for this security context.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server Liberty- Batch                       *
    ****************************************************************
    * PROBLEM DESCRIPTION: Failure (CWWKS0800E) to build a valid   *
    *                      security Subject in a batch executor    *
    *                      server upon consuming a batch job (or   *
    *                      partition) dispatch JMS message         *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Some background:  when the batchManagement feature is used in a
    multiple server topology, jobs (or partitions) may be dispatched
    to a JMS queue by a server which (in this context) we call a
    "dispatcher" server, where the messages will be consumed other
    servers in the domain which (in this context), we call the
    "executor" server(s).    The dispatcher performs a batch-
    specific authorization check against the "submitter" of the job,
    and then serializes the credentials into the JMS message that it
    puts on the dispatcher queue.
    
    In certain cases, the "executor" server consuming the message is
    unable to deserialize the security context from the JMS dispatch
    message and thus unable to build a valid Subject within the
    executor server.
    
    An initial CWWKS0800E error message is seen looking like:
    
         CWWKS0800E: An authentication error occurred while
    recreating the subjects of the deserialized security context.
    The exception is: unable to find LoginModule class:
    com.ibm.ws.kernel.boot.security.LoginModuleProxy cannot be found
    by com.ibm.ws.jbatch.jms_1.0.17...........  As a result, the
    unauthenticated subject will be used for this security context.
    This deserialization error would typically be followed by a
    batch authorization error, since now there are no credentials in
    the executor server.
    
       javax.batch.operations.JobSecurityException: CWWKY0303W: User
    null is not authorized to perform any batch operations.
    	at
    com.ibm.ws.jbatch.security.impl.WSBatchAuthServiceImpl.authorize
    dInstanceRead(WSBatchAuthServiceImpl.java:165)
    	at
    com.ibm.jbatch.container.ws.impl.WSJobRepositoryImpl.authorizedI
    nstanceRead(WSJobRepositoryImpl.java:203)
    	at
    com.ibm.jbatch.container.ws.impl.WSJobRepositoryImpl.getJobInsta
    nce(WSJobRepositoryImpl.java:166)
    	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    	at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java:62)
    	at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:43)
    	at java.lang.reflect.Method.invoke(Method.java:498)
    	at
    com.ibm.ws.context.service.serializable.ContextualInvocationHand
    ler.invoke(ContextualInvocationHandler.java:77)
    	at
    com.ibm.ws.context.service.serializable.ContextualInvocationHand
    ler.invoke(ContextualInvocationHandler.java:98)
    	at com.sun.proxy.$Proxy77.getJobInstance(Unknown Source)
    	at
    com.ibm.ws.jbatch.jms.internal.listener.BatchJmsEndpointListener
    .handleStartRequest(BatchJmsEndpointListener.java:524)
    	at
    com.ibm.ws.jbatch.jms.internal.listener.BatchJmsEndpointListener
    .processMessage(BatchJmsEndpointListener.java:279)
    	at
    com.ibm.ws.jbatch.jms.internal.listener.BatchJmsEndpointListener
    .onMessage(BatchJmsEndpointListener.java:234)
    	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    	at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java:62)
    	at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:43)
    	at java.lang.reflect.Method.invoke(Method.java:498)
    	at
    com.ibm.ws.jbatch.jms.internal.listener.impl.MessageEndpointHand
    ler.invokeJMSMethod(MessageEndpointHandler.java:354)
    	at
    com.ibm.ws.jbatch.jms.internal.listener.impl.MessageEndpointHand
    ler.invoke(MessageEndpointHandler.java:338)
    	at com.sun.proxy.$Proxy41.onMessage(Unknown Source)
    
    This seems more likely to occur in cases where the executor is
    consuming a message that originated (was "dispatched") from
    another server or from an earlier instance (prior to recycle) of
    itself, (in other words from another JVM instance).
    
    It also has been observed in particular when using Apache
    ActiveMQ as the JMS provider.
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    PI88583

  • Reported component name

    WAS LIBERTY COR

  • Reported component ID

    5725L2900

  • Reported release

    855

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-10-09

  • Closed date

    2017-10-16

  • Last modified date

    2017-10-16

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WAS LIBERTY COR

  • Fixed component ID

    5725L2900

Applicable component levels

  • R855 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSD28V","label":"WebSphere Application Server Liberty Core"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
19 October 2021