APAR status
Closed as documentation error.
Error description
1) Description: MDM does not honor permissions on groups that has slash, for example "access/wagroup" Where env is configured to authenticate via openid 2) L3 Analisys Update: Public Credential: com.ibm.ws.security.credentials.wscred.WSCre dentialImpl@3e58b447,realmName=xxxx,securityName=xxxxxxxx.xxxxx x@xxx.com,realmSecurityName=xxxx/xxxxxxxxx.xxxxx@xxx.com,unique SecurityName=xxxxxxxxx.xxxxx@xxx.com,primaryGroupId=null,access Id=user:xxxxx/xxxxxxxx.xxxxx@xxx.com,groupIds=[group:xxxx/xxx/ E group:wagroup/Access / TEST XXXXXXXX XXXXXX, group:wagroup/test-all-parties, group:wagroup/access/testing, group:wagroup/Access / TestNet Operations Test Extension, group:wagroup/Access / TestNet Operations Testing Test, group:TestNet/TestNet Users, group:TestNet/Access / TestNet Operations End User Portal] it is possible to notice that Liberty internally manages groups using the following format: group:<realm_name>/<group_name> Public Credential: com.ibm.ws.security.credentials.wscred.WSCre dentialImpl@3e58b447,realmName=xxxx,securityName=xxxxxxxx.xxxxx x@xxx.com,realmSecurityName=xxxx/xxxxxxxxx.xxxxx@xxx.com,unique SecurityName=xxxxxxxxx.xxxxx@xxx.com,primaryGroupId=null,access Id=user:xxxxx/xxxxxxxx.xxxxx@xxx.com,groupIds=[group:xxxx/xxx/ E group:wagroup/Access / TEST XXXXXXXX XXXXXX, group:wagroup/test-all-parties, group:wagroup/access/testing, group:wagroup/Access / TestNet Operations Test Extension, group:wagroup/Access / TestNet Operations Testing Test, group:TestNet/TestNet Users, group:TestNet/Access / TestNet Operations End User Portal] it is possible to notice that Liberty internally manages groups using the following format: group:<realm_name>/<group_name> When retrieving Credentials from Liberty, the WA product parses the returned list of groups while assuming that they are in such format. This means that each group entry is parsed and split on the ":" and "/" characters. Therefore, if the group name (or the realm name, or both) contains a "/" character as well, then the parsing fails.
Local fix
1) Insert additional documentation details in the following Workload Scheduler 10.2.X Documentation links: - HWA 10.2.0 link - https://help.hcl-software.com/workloadautom ation/v102/distr/src_pi/awspicreatewauser.html - HWA 10.2.0 link - https://help.hcl-software.com/workloadautom ation/v102/distr/src_pi/awspicreatewauser_DDM.html?hl=create%2C - IWA 10.2.0 link - https://www.ibm.com/docs/en/workload-automa tion/10.2.0?topic=1020x-creating-workload-scheduler-administrat ive-user wauser - HWA 10.2.1 link - https://help.hcl-software.com/workloadautom ation/v1021/distr/src_pi/awspicreatewauser.html - HWA 10.2.1 Link - https://help.hcl-software.com/workloadautom ation/v1021/distr/src_pi/awspicreatewauser_DDM.html - IWA 10.2.1 link - https://www.ibm.com/docs/en/workload-automa tion/10.2.1?topic=102x-creating-workload-scheduler-administrati ve-user - HWA 10.2.2 link - https://help.hcl-software.com/workloadautom ation/v1022/distr/src_pi/awspicreatewauser.html - HWA 10.2.2 link - https://help.hcl-software.com/workloadautom ation/v1022/distr/src_pi/awspicrtwauserupgrDDM.html - IWA 10.2.2 link - https://www.ibm.com/docs/en/workload-automa tion/10.2.1?topic=102x-creating-workload-scheduler-administrati ve-user 2) Insert additional details under the current section in each link: On UNIX and Linux operating systems: This user account must be created manually before running the installation and must be enabled to login to the machine where the master domain manager is going to be installed. Create a user with a home directory and group. Use the appropriate UNIX and Linux operating system commands to create the user. 3) Documentation update should include: Known limitation on Group Names that contain a backslash (/) can cause permissions to not be set properly. - Liberty internally manages groups using the following format: group:<realm_name>/<group_name> - When the HWA product retrieves the Credentials from Liberty, it parses the returned list of groups names assuming that they are in such format. Meaning that each group entry is parsed and split on the ":" and "/" characters. Therefore, if the group name (or the realm name, or both) contains a "/" character as well, then the parsing fails.
Problem summary
The documentation will be modified to fix the problem
Problem conclusion
The fix for the APAR will be delivered in 10.2.3 documentation
Temporary fix
Comments
APAR Information
APAR number
IJ51949
Reported component name
WORKLOAD AUTOMA
Reported component ID
5725G8000
Reported release
A20
Status
CLOSED DOC
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2024-07-31
Closed date
2024-11-18
Last modified date
2024-11-18
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SS8GJD","label":"IBM Workload Automation"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"A20","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]
Document Information
Modified date:
18 November 2024