IBM Support

PK68681: FIX CREDENTIALS REQUIRED FOR THE THREAD DURING TRANSACTION RECOVERY

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Fix credentials required for the thread during transaction
    recovery (for V6.0.2)
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  Java DataBase Connectivity (JDBC) and J2EE  *
    *                  Connector Architecture (JCA)                *
    *                                                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: A RoleBasedAppException occurs during   *
    *                      transaction recovery indicating the     *
    *                      thread lacks the required accessId of   *
    *                      the caller.                             *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    A RoleBasedAppException occurs during transaction recovery
    indicating the thread lacks the required accessId of the
    caller.  The exception causes the transaction to not recover.
    The RoleBasedAppException occurs because the thread performing
    tranaction recovery lacks the accessId, which the user
    presumably mapped to an Administrative security role, to read
    (monitor) the server configuration.  The exception occurs
    while the connection manager determines whether a resource
    provider is installed on the server.  Here is an example of a
    RoleBasedAppException that may occur:
    
    
    
    [8/16/07 10:26:18:413 EEST] 00000086 RoleBasedAuth E
    SECJ0306E
    : No received or invocation credential exist on the thread.
    The Role based authorization check will not have an accessId of
    the caller to check. The parameters are: access check method
    
    queryConfigObjects:com.ibm.websphere.management.Session:
    
    javax.management.ObjectName:javax.management.ObjectName:
    
    javax.management.QueryExp on resource ConfigService and module
    
    ConfigService.
    
    The stack trace is
    
    java.lang.Exception: Invocation and received credentials are
    
    both null
    
     at
    com.ibm.ws.security.role.RoleBasedAuthorizerImpl.checkAccess
    (RoleBasedAuthorizerImpl.java:251)
    
     at
    com.ibm.ws.management.configservice.ConfigServiceServerProxy
    .securityCheck(ConfigServiceServerProxy.java:1022)
    
     at
    com.ibm.ws.management.configservice.ConfigServiceServerProxy
    $10.run(ConfigServiceServerProxy.java:406)
    
     at
    com.ibm.ws.security.util.AccessController.doPrivileged(Acces
    sController.java(Compiled Code))
    
     at
    com.ibm.ws.management.configservice.ConfigServiceServerProxy
    .queryConfigObjects(ConfigServiceServerProxy.java:401)
    
     at
    com.ibm.ejs.j2c.RALifeCycleManagerImpl.isProviderInstalled(R
    ALifeCycleManagerImpl.java:2688)
    
     at
    com.ibm.ws.Transaction.JTA.ASXAResourceFactoryImpl.getXAReso
    urce(ASXAResourceFactoryImpl.java:85)
    
     at
    com.ibm.ws.Transaction.JTA.JTAXAResourceImpl.reconnectRM(JTA
    XAResourceImpl.java:604)
    
     at
    com.ibm.ws.Transaction.JTA.JTAXAResourceImpl.commit(JTAXARes
    ourceImpl.java:300)
    
     at
    com.ibm.ws.Transaction.JTA.RegisteredResources.deliverOutcom
    e(RegisteredResources.java:1961)
    
     at
    com.ibm.ws.Transaction.JTA.RegisteredResources.distributeOut
    come(RegisteredResources.java:2464)
    
     at
    com.ibm.ws.Transaction.JTA.TransactionImpl$RetryAlarm.alarm(
    TransactionImpl.java:5146)
    
     at com.ibm.ejs.util.am._Alarm.run(_Alarm.java(Compiled Code))
    
     at
    com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1471).
    [8/16/07 10:26:18:414 EEST] 00000086 RoleBasedAuth A
    SECJ0305I
    : The role-based authorization check failed for admin-authz
    operation ConfigService:queryConfigObjects:com.ibm.websphere
    .management.Session:
    
    javax.management.ObjectName:javax.management.ObjectName:
    
    javax.management.QueryExp.
    
    The user UNAUTHENTICATED (unique ID: unauthenticated) was not
    granted any of the following required roles: administrator,
    operator, monitor, configurator.
    
    [8/16/07 10:26:18:415 EEST] 00000086 RALifeCycleMa E
    
    J2CA0154E: The method queryConfigObjects on class
    ConfigService returned the following exception:
    
    com.ibm.websphere.management.exception.ConfigServiceException:
    
    com.ibm.ws.security.role.RoleBasedAppException: ADMN0022E:
    
    Access is denied for the queryConfigObjects operation on
    ConfigService MBean because of insufficient or empty
    credentials.
    
     at
    com.ibm.ws.management.configservice.ConfigServiceServerProxy
    $10.run(ConfigServiceServerProxy.java:408)
    
     at
    com.ibm.ws.security.util.AccessController.doPrivileged(Acces
    sController.java(Compiled Code))
    
     at
    com.ibm.ws.management.configservice.ConfigServiceServerProxy
    .queryConfigObjects(ConfigServiceServerProxy.java:401)
    
     at
    com.ibm.ejs.j2c.RALifeCycleManagerImpl.isProviderInstalled(R
    ALifeCycleManagerImpl.java:2688)
    
     at
    com.ibm.ws.Transaction.JTA.ASXAResourceFactoryImpl.getXAReso
    urce(ASXAResourceFactoryImpl.java:85)
    
     at
    com.ibm.ws.Transaction.JTA.JTAXAResourceImpl.reconnectRM(JTA
    XAResourceImpl.java:604)
    
     at
    com.ibm.ws.Transaction.JTA.JTAXAResourceImpl.commit(JTAXARes
    ourceImpl.java:300)
    
     at
    com.ibm.ws.Transaction.JTA.RegisteredResources.deliverOutcom
    e(RegisteredResources.java:1961)
    
     at
    com.ibm.ws.Transaction.JTA.RegisteredResources.distributeOut
    come(RegisteredResources.java:2464)
    
     at
    com.ibm.ws.Transaction.JTA.TransactionImpl$RetryAlarm.alarm(
    TransactionImpl.java:5146)
    
     at com.ibm.ejs.util.am._Alarm.run(_Alarm.java(Compiled Code))
    
     at
    com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1471)
    

Problem conclusion

  • This is a backport of apar PK52057. PK52057 makes the
    following change: modify the connection manager to associate
    the required accessId to the thread when reading the server
    configuration during transaction recovery.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 6.0.2.33.  Please refer to the Recommended Updates
    page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PK68681

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    60I

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2008-07-08

  • Closed date

    2008-09-29

  • Last modified date

    2008-09-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R60A PSY

       UP

  • R60H PSY

       UP

  • R60I PSY

       UP

  • R60P PSY

       UP

  • R60S PSY

       UP

  • R60W PSY

       UP

  • R60Z PSY

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCVS22","label":"General"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
29 September 2008