IBM Support

PI92330: CWWKS2910E ERROR WHEN USING DYNAMIC ROUTING IN LIBERTY PROFILE ON Z/OS WITH SAF SECURITY

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When using dynamic routing with SAF security requests may
    fail
    with the following error:
    
    com.ibm.ws.security.saf.SAFException:
    CWWKS2910E: SAF service WAS_INTERNAL did not succeed. SAF
    return code 0xffffffff. RACF return code 0xffffffff. RACF
    reason code 0xffffffff. Internal error code 0x00000001.
    
    This happens because the certificate mapping is incorrect
    and
    instead of mapping a cert to an ID, the DN is passed to the
    security code for authentication.
    

Local fix

  • n/a
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server Liberty for z/OS - Virtual           *
    *                  Enterprise / IM Component                   *
    ****************************************************************
    * PROBLEM DESCRIPTION: CWWKS2910E error when using             *
    *                      dynamicRouting-1.0 feature with a SAF   *
    *                      user registry on WebSphere Liberty for  *
    *                      z/OS                                    *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When WebSphere Liberty for z/OS is configured to use both the
    dynamicRouting-1.0 feature and a SAF user registry, the dynamic
    routing functions will not work and the following FFDC will be
    produced:
    
    CWWKS2910E: SAF service WAS_INTERNAL did not succeed. SAF return
    code 0xffffffff. RACF return code 0xffffffff. RACF reason code
    0xffffffff. Internal error code 0x00000001.
    	at
    com.ibm.ws.security.saf.SAFServiceResult.getSAFException(SAFServ
    iceResult.java:277)
    	at
    com.ibm.ws.security.saf.SAFServiceResult.throwSAFException(SAFSe
    rviceResult.java:269)
    	at
    com.ibm.ws.security.credentials.saf.internal.SAFCredentialsServi
    ceImpl.createAssertedCredentialToken(SAFCredentialsServiceImpl.j
    ava:543)
    	at
    com.ibm.ws.security.credentials.saf.internal.SAFCredentialsServi
    ceImpl.createAssertedCredential(SAFCredentialsServiceImpl.java:4
    91)
    	at
    com.ibm.ws.security.credentials.saf.internal.SAFCredentialsServi
    ceImpl.setCredential(SAFCredentialsServiceImpl.java:929)
    	at
    com.ibm.ws.security.credentials.internal.CredentialsServiceImpl.
    setCredentials(CredentialsServiceImpl.java:77)
    	at
    com.ibm.ws.security.authentication.internal.jaas.modules.ServerC
    ommonLoginModule.setPrincipalAndCredentials(ServerCommonLoginMod
    ule.java:154)
    	at
    com.ibm.ws.security.authentication.jaas.modules.CertificateLogin
    Module.addCredentials(CertificateLoginModule.java:253)
    	at
    com.ibm.ws.security.authentication.jaas.modules.CertificateLogin
    Module.handleCertificateAuthenticator(CertificateLoginModule.jav
    a:187)
    	at
    com.ibm.ws.security.authentication.jaas.modules.CertificateLogin
    Module.login(CertificateLoginModule.java:109)
    

Problem conclusion

  • Code was incorrectly attempting to map the certificate to a z/OS
    User. The code has been corrected.
    
    The fix for this APAR is currently targeted for inclusion in fix
    pack 18.0.0.2.  Please refer to the Recommended Updates page for
    delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI92330

  • Reported component name

    LIBERTY PROF -

  • Reported component ID

    5655W6514

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-01-11

  • Closed date

    2018-03-27

  • Last modified date

    2018-03-27

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    LIBERTY PROF -

  • Fixed component ID

    5655W6514

Applicable component levels

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"850","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
17 June 2020