Fixes are available
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR10 Cumulative Fix for WebSphere Application Server
6.1.0.31: Java SDK 1.5 SR11 FP1 Cumulative Fix for WebSphere Application Server
6.1.0.33: Java SDK 1.5 SR12 FP1 Cumulative Fix for WebSphere
6.1.0.29: Java SDK 1.5 SR11 Cumulative Fix for WebSphere Application Server
6.1.0.35: Java SDK 1.5 SR12 FP2 Cumulative Fix for WebSphere
6.1.0.37: Java SDK 1.5 SR12 FP3 Cumulative Fix for WebSphere
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server
Obtain the fix for this APAR.
APAR status
Closed as program error.
Error description
When running an OTS transaction from a WebSphere application server to CICS with security enabled, the transaction will fail in the application server control region with the following error: BBOO0011W The function ZIOPChannelBridge::pending_inbound_response(ORB_Request *)+1086 received CORBA system exception CORBA::COMM_FAILURE. Error code is C9C26A37.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: Users of WebSphere Application Server V6.1 * * for z/OS who are using SAF authorization * * and using CSIv2 to communicate with CICS * * 3.2. or later. * **************************************************************** * PROBLEM DESCRIPTION: For CSIv2 communication between * * WebSphere Application Server and CICS * * 3.2 or later, the CICS server is * * expecting a SAF identity to be sent * * by the WAS server. However, even * * though the WAS server is configured * * to use local OS with SAF authorization, * * the default configuration uses an * * internally generated identity as the * * server identity. Therefore, it was this * * identity that was being sent to CICS, * * and resulting in a COMM_FAILURE error * * as it was not being recognized as a * * valid user. * **************************************************************** * RECOMMENDATION: * **************************************************************** The default security configuration for WebSphere is to use an automatically generated server identity, and not the started task identity that is defined in the SAF product. As a result, when trying to communicate over CSIv2 to CICS, the communication fails because the server identity is not a valid one.
Problem conclusion
A new security custom property has been defined, where the name is "com.ibm.ws.security.zOS.useSAFidForTransaction" and the value should be set to "true" in order to use a SAF identity for transactional security even though the security configuration is set to use the automatically generated server identity. APAR PK61863 requires changes to documentation. . NOTE: Periodically, we refresh the documentation on our Web site, so the changes might have been made before you read this text. To access the latest on-line documentation, go to the product library page at: http://www.ibm.com/software/webservers/appserv/library A change to the z/OS version of the WebSphere Application Server Version 6.1 Information Center will be made available. The topic "Security custom properties" will be updated to include the following description of the new com.ibm.ws.security.zOS.useSAFidForTransaction security custom property: com.ibm.ws.security.zOS.useSAFidForTransaction This property is used to enable a server to use the user identity for the z/OS started task as the server identity when calling transactional methods, such as commit(), and prepare(), that require the server identity. This behavior occurs regardless of the server identity setting for that server. For example, you might have a server that is configured to use the automatically generated server identity, which is not an actual identity stored in a user repository. However, this server needs to communicate with CICS 3.2, and CICS 3.2 requires SAF identities. If this property is set to true, the server uses a SAF identity to communicate with CICS instead of the automatically generated identity. Default false APAR PK61863 is currently targeted for inclusion in Service Level (Fix Pack) 6.1.0.17 of WebSphere Application Server V6.1 for z/OS. Please refer to URL: //www.ibm.com/support/docview.wss?rs=404&uid=swg27006970 for Fix Pack availability.
Temporary fix
Comments
APAR Information
APAR number
PK61863
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
610
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2008-02-28
Closed date
2008-04-30
Last modified date
2008-07-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500
Applicable component levels
R500 PSN
UP
R601 PSN
UP
R610 PSY UK36750
UP08/06/10 P F806
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
Document Information
Modified date:
28 December 2021