PK97690: AUTHENTICATION OF USERID CONNECTED TO A LARGE GROUP MAY RECEIVE:SECJ0347E COULD NOT GET THE NAME OF THE GROUP WHOSE UNIQUEID IS

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• When a user is being authenticated by WebSphere for z/OS, if the
  default group of the user is large (has many userids connected
  to it), then the incoming request to may fail with the following
  error:
  
  Trace: 2009/01/22 21:28:33.724 01 t=8BB748 c=UNK key=S2
  (13007002)
    ThreadId: 00000059
    FunctionName: com.ibm.ws.security.registry.zOS.SAFRegistryImpl
    SourceId: com.ibm.ws.security.registry.zOS.SAFRegistryImpl
    Category: SEVERE
    ExtendedMessage: BBOO0220E: SECJ0347E: Could not get the name
  of the group whose uniqueId is <group_name>.
  
  <group_name> is the default group that the userid being
  authenticated is connected to.
  
  If tracedetail=E is enabled, an earlier trace entry will show
  that the group could not be validated:
  
  Trace: 2009/01/24 20:55:33.825 01 t=8BBE88 c=UNK key=S2
  (0E025012)
    Description: bbosssur isValidGroup return
    isValid: 0
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of IBM WebSphere Application       *
  *                 Server V7.0                                  *
  ****************************************************************
  * PROBLEM DESCRIPTION: When using SAF (System Authorization    *
  *                      Facility) as the registry for           *
  *                      WebSphere Application Server on z/OS,   *
  *                      and groups sizes in the registry        *
  *                      exceed approximately 675 members,       *
  *                      users may see the  SECJ0347E message.   *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  WebSphere Application Server was not using a large enough
  buffer to store the SAF result when groups were large.
  

Problem conclusion

• WebSphere Application Server has been modified to handle large
  groups via an environment variable, allow_large_SAF_groups,
  which can be set at the administration console by navigating
  to Environment - WebSphere Environment Variables - new, and
  setting one of the following values:
  
  1, which is triple the default buffer size, to 24576 from 8192
  any value up to the max value of 2147483647
  
  APAR PK97690 requires changes to documentation
  
  NOTE: Periodically, we refresh the documentation on our
  Web site, so the changes might have been made before you
  read this text To access the latest on-line
  documentation, go to the product library page at:
  
  http://www.ibm.com/software/webservers/appserv/library
  
  Changes to the WebSphere Application Server Version 7.0
  Information Center will be made available.
  
  The following description of the new application server
  environment variable allow_large_SAF_groups
  will be added to the topic "Application server custom
  properties that are unique for the z/OS platform."
  
  allow_large_SAF_groups
  
  Specifies that you want to allow the application server to do
  lookups on large SAF groups.
  
  When this property is set to one, the size of the buffer that
  is used to do lookups is tripled from 8192 bytes to 24576 bytes.
  
  
  
  When this property is not set, the buffer size is 8192 bytes.
  You can also set this property to a specific number of bytes
  up to and including 2147483647. If you specify an integer other
  than one as the value for this property, the buffer size
  becomes
  that number of bytes. For example, if you specify
  allow_large_SAF_groups=21400000, the size of the buffer used to
  do lookups on SAF groups is 21400000 bytes.
  
  Data Type                                  Integer
  Range                                      1 - 2147483647
  Default                                    0
  
  APAR PK97690 is currently targeted for inclusion in Service
  Level (Fix Pack) 7.0.0.9 of WebSphere Application Server
  V7.0
  
  Please refer to URL:
  //www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
  for Fix Pack availability.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

  PK84247

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  WEBSPHERE FOR Z

• Fixed component ID

  5655I3500

Applicable component levels

• R500 PSN

     UP

• R601 PSN

     UP

• R610 PSN

     UP

• R700 PSY UK55133

     UP10/03/26 P F003

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.