IBM Support

PI96910: ICH ERROR MESSAGES ARE NOT ISSUED DURING LIBERTY STARTUP WHEN CHECKING FOR ACCESS TO BBG.SECPFX.* AND APPL PROFILES

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When Liberty is started and checks for access to the
    BBG.SECPFX.* and APPL profiles, failures are recorded in the
    Liberty log with messages like CWWKS2907E, but there are no
    related ICH messages.  Some users felt the lack of ICH
    messages
    made it harder to identify and diagnose these security
    configuration issues.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server Liberty for z/OS                     *
    ****************************************************************
    * PROBLEM DESCRIPTION: ICH408I messages are not produced for   *
    *                      some Liberty authorization failures     *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When Liberty is configured to use a SAF user registry, certain
    authorization failures will not cause a ICH408I message to be
    printed to the z/OS console and/or joblog.  This can make it
    harder for a SAF administrator to know which users require
    permission to which profiles in order to use Liberty.  The
    Liberty administrator must look at the Liberty logs for the
    messages produced by Liberty, and then interpret those for the
    SAF administrator.
    
    Conversely, there are certain optional features used by Liberty
    which generate authorization failures during the discovery
    process.  Printing ICH408I messages for these failures may lead
    a security administrator to thinking that certain privilages are
    required, when in fact they are not.
    
    The decision whether or not to print the ICH408I messages should
    be made by the Liberty administrator and the SAF administrator
    together.  Liberty provides no configuration to be able to print
    or not print these messages.
    

Problem conclusion

  • Code was added to allow ICH408I messages to be printed in the
    following circumstances:
    1) Liberty server authorization failures while connecting to the
    angel process
    2) Liberty server authorization failures in the SERVER class,
    BBG.SECPFX.* profiles
    3) Liberty server authorization failures in the APPL class while
    validating the profile prefix
    
    A new JCL parameter, SAFLOG, can be set on the ANGEL proc, and
    controls whether authorization failure messages while connecting
    to the angel process are suppressed.  Setting SAFLOG=Y will
    allow ICH408I messages to be printed.
    
    A new attribute is added to the <safCredentials/> configuration
    in server.xml, named "suppressAuthFailureMessages".  The default
    value is "true" which suppresses ICH408I messages for
    authorization failures in the SERVER and APPL profiles mentioned
    in the problem summary.  When this value is changed to false,
    Liberty will not suppress the ICH408I messages that are
    generated when an authorization failure occurs.
    
    The fix for this APAR is currently targeted for inclusion in fix
    pack 18.0.0.3.  Please refer to the Recommended Updates page for
    delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI96910

  • Reported component name

    LIBERTY PROF -

  • Reported component ID

    5655W6514

  • Reported release

    CD0

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-04-18

  • Closed date

    2018-06-20

  • Last modified date

    2018-06-20

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    LIBERTY PROF -

  • Fixed component ID

    5655W6514

Applicable component levels

  • RCD0 PSY

       UP

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"CD0","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
17 June 2020