Fixes are available
17.0.0.4: WebSphere Application Server Liberty 17.0.0.4
18.0.0.1: WebSphere Application Server Liberty 18.0.0.1
18.0.0.2: WebSphere Application Server Liberty 18.0.0.2
18.0.0.3: WebSphere Application Server Liberty 18.0.0.3
18.0.0.4: WebSphere Application Server Liberty 18.0.0.4
19.0.0.1: WebSphere Application Server Liberty 19.0.0.1
19.0.0.2: WebSphere Application Server Liberty 19.0.0.2
19.0.0.3: WebSphere Application Server Liberty 19.0.0.3
19.0.0.4: WebSphere Application Server Liberty 19.0.0.4
19.0.0.5: WebSphere Application Server Liberty 19.0.0.5
19.0.0.6: WebSphere Application Server Liberty 19.0.0.6
19.0.0.7: WebSphere Application Server Liberty 19.0.0.7
19.0.0.8: WebSphere Application Server Liberty 19.0.0.8
19.0.0.9: WebSphere Application Server Liberty 19.0.0.9
19.0.0.10: WebSphere Application Server Liberty 19.0.0.10
19.0.0.11: WebSphere Application Server Liberty 19.0.0.11
19.0.0.12: WebSphere Application Server Liberty 19.0.0.12
20.0.0.1: WebSphere Application Server Liberty 20.0.0.1
20.0.0.2: WebSphere Application Server Liberty 20.0.0.2
20.0.0.3: WebSphere Application Server Liberty 20.0.0.3
20.0.0.4: WebSphere Application Server Liberty 20.0.0.4
20.0.0.5: WebSphere Application Server Liberty 20.0.0.5
20.0.0.6: WebSphere Application Server Liberty 20.0.0.6
20.0.0.7: WebSphere Application Server Liberty 20.0.0.7
20.0.0.8: WebSphere Application Server Liberty 20.0.0.8
20.0.0.9: WebSphere Application Server Liberty 20.0.0.9
20.0.0.10: WebSphere Application Server Liberty 20.0.0.10
20.0.0.11: WebSphere Application Server Liberty 20.0.0.11
20.0.0.12: WebSphere Application Server Liberty 20.0.0.12
21.0.0.3: WebSphere Application Server Liberty 21.0.0.3
21.0.0.4: WebSphere Application Server Liberty 21.0.0.4
21.0.0.5: WebSphere Application Server Liberty 21.0.0.5
21.0.0.6: WebSphere Application Server Liberty 21.0.0.6
21.0.0.7: WebSphere Application Server Liberty 21.0.0.7
21.0.0.8: WebSphere Application Server Liberty 21.0.0.8
21.0.0.9: WebSphere Application Server Liberty 21.0.0.9
21.0.0.1: WebSphere Application Server Liberty 21.0.0.1
21.0.0.2: WebSphere Application Server Liberty 21.0.0.2
21.0.0.10: WebSphere Application Server Liberty 21.0.0.10
21.0.0.11: WebSphere Application Server Liberty 21.0.0.11
21.0.0.12: WebSphere Application Server Liberty 21.0.0.12
22.0.0.1: WebSphere Application Server Liberty 22.0.0.1
22.0.0.2: WebSphere Application Server Liberty 22.0.0.2
22.0.0.3: WebSphere Application Server Liberty 22.0.0.3
22.0.0.4: WebSphere Application Server Liberty 22.0.0.4
APAR status
Closed as program error.
Error description
In WebSphere Application erver Liberty Core 17.0.0.2,java batch multi JVM setup,initiating a batch job via the batch dispatcher is successful.The dispatcher puts the request on the JMS queue for an executor but when the executor reads the message it is failing with the following exception: CWWKS0800E: An authentication error occurred while recreating the subjects of the deserialized security context. The exception is: unable to find LoginModule class: com.ibm.ws.kernel.boot.security.LoginModuleProxy cannot be found by com.ibm.ws.jbatch.jms_1.0.17. cl170220170523-1818. As a result, the unauthenticated subject will be used for this security context.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server Liberty- Batch * **************************************************************** * PROBLEM DESCRIPTION: Failure (CWWKS0800E) to build a valid * * security Subject in a batch executor * * server upon consuming a batch job (or * * partition) dispatch JMS message * **************************************************************** * RECOMMENDATION: * **************************************************************** Some background: when the batchManagement feature is used in a multiple server topology, jobs (or partitions) may be dispatched to a JMS queue by a server which (in this context) we call a "dispatcher" server, where the messages will be consumed other servers in the domain which (in this context), we call the "executor" server(s). The dispatcher performs a batch- specific authorization check against the "submitter" of the job, and then serializes the credentials into the JMS message that it puts on the dispatcher queue. In certain cases, the "executor" server consuming the message is unable to deserialize the security context from the JMS dispatch message and thus unable to build a valid Subject within the executor server. An initial CWWKS0800E error message is seen looking like: CWWKS0800E: An authentication error occurred while recreating the subjects of the deserialized security context. The exception is: unable to find LoginModule class: com.ibm.ws.kernel.boot.security.LoginModuleProxy cannot be found by com.ibm.ws.jbatch.jms_1.0.17........... As a result, the unauthenticated subject will be used for this security context. This deserialization error would typically be followed by a batch authorization error, since now there are no credentials in the executor server. javax.batch.operations.JobSecurityException: CWWKY0303W: User null is not authorized to perform any batch operations. at com.ibm.ws.jbatch.security.impl.WSBatchAuthServiceImpl.authorize dInstanceRead(WSBatchAuthServiceImpl.java:165) at com.ibm.jbatch.container.ws.impl.WSJobRepositoryImpl.authorizedI nstanceRead(WSJobRepositoryImpl.java:203) at com.ibm.jbatch.container.ws.impl.WSJobRepositoryImpl.getJobInsta nce(WSJobRepositoryImpl.java:166) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor Impl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod AccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.ibm.ws.context.service.serializable.ContextualInvocationHand ler.invoke(ContextualInvocationHandler.java:77) at com.ibm.ws.context.service.serializable.ContextualInvocationHand ler.invoke(ContextualInvocationHandler.java:98) at com.sun.proxy.$Proxy77.getJobInstance(Unknown Source) at com.ibm.ws.jbatch.jms.internal.listener.BatchJmsEndpointListener .handleStartRequest(BatchJmsEndpointListener.java:524) at com.ibm.ws.jbatch.jms.internal.listener.BatchJmsEndpointListener .processMessage(BatchJmsEndpointListener.java:279) at com.ibm.ws.jbatch.jms.internal.listener.BatchJmsEndpointListener .onMessage(BatchJmsEndpointListener.java:234) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor Impl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod AccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.ibm.ws.jbatch.jms.internal.listener.impl.MessageEndpointHand ler.invokeJMSMethod(MessageEndpointHandler.java:354) at com.ibm.ws.jbatch.jms.internal.listener.impl.MessageEndpointHand ler.invoke(MessageEndpointHandler.java:338) at com.sun.proxy.$Proxy41.onMessage(Unknown Source) This seems more likely to occur in cases where the executor is consuming a message that originated (was "dispatched") from another server or from an earlier instance (prior to recycle) of itself, (in other words from another JVM instance). It also has been observed in particular when using Apache ActiveMQ as the JMS provider.
Problem conclusion
The problem was resolved by adding package visibility to bundle manifests. The fix for this APAR is currently targeted for inclusion in fix pack 17.0.0.4. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PI88583
Reported component name
WAS LIBERTY COR
Reported component ID
5725L2900
Reported release
855
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-10-09
Closed date
2017-10-16
Last modified date
2017-10-16
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WAS LIBERTY COR
Fixed component ID
5725L2900
Applicable component levels
R855 PSY
UP
Document Information
Modified date:
04 May 2022