IBM Support

PI46156: ICH408I AS THE SERVANT USERID ATTEMPTS TO CREATE AND DELETE THE OAUTH20 DIRECTORY.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • After the introduction of oauth20 support into WebSphere 8.0
    customer is receiving consistent RACF failures during servant
    initialisation as the servant userid attempts to create and
    delete the oauth20 directory:
    ICH408I USER(KTSYSI3B) GROUP(@YSI3B0 ) NAME(WAS AS T1A02 I3B0)
    /var/KTS/T1A02/AppServer/profiles/default/config/cells/zosCET1A0
    2/oauth20.
    CL(DIRACC  ) FID(C3C8C6F0F0F439530000000006891A85)
    INSUFFICIENT AUTHORITY TO MKDIR
    ACCESS INTENT(-W-)  ACCESS ALLOWED(GROUP ACL  R-X)
    EFFECTIVE UID(0000004706)  EFFECTIVE GID(0000005206)
    .
    Customer does not allow the userid to write to the root of the
    WebSphere cell directory, so need a mechanism to re-direct
    the location of this directory.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All IBM WebSphere Application Server        *
    *                  administrators                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: Error appears in log when OAuth TAI     *
    *                      startup process attempts to create      *
    *                      oauth20 directory                       *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    The OAuth Trust Association Interceptor (TAI) startup
    processing requires write access to the
    (user.install.root)/config/cells/(cellName) directory.  In
    that directory, it creates a directory called oauth20.  Errors
    will appear in the log if the startup process is unable to
    access this directory.  If an application server is not
    configured to use the OAuth TAI, this should not be an error.
    

Problem conclusion

  • The OAuth TAI startup process is run whether the OAuth TAI is
    configured or not.  The OAuth TAI startup process does not
    need to run if either the OAuth TAI is not configured or TAI
    processing is not enabled.
    
    The OAuth TAI is updated so that its startup process will only
    run if TAI processing is enabled and the OAuth TAI is
    configured.
    
    APAR PI46156 is currently targeted for inclusion in WebSphere
    Application Server Fix Packs 8.0.0.13, and 8.5.5.10.
    
    In addition, sysroute APAR PI60762 will deliver the fix in
    WebSphere Application Server V7.0 Fix Pack 7.0.0.43.
    
    Please refer to the Recommended Updates page for delivery
    information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    
    In addition, please refer to URL:
    http://www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
    for Fix Pack PTF information.
    
    Keywords: IBMWL3WSS, OAUTH
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI46156

  • Reported component name

    WEBSPHERE FOR Z

  • Reported component ID

    5655I3500

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-08-03

  • Closed date

    2016-04-13

  • Last modified date

    2016-04-13

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    PI60762

Fix information

  • Fixed component name

    WEBSPHERE FOR Z

  • Fixed component ID

    5655I3500

Applicable component levels

  • R800 PSY

       UP



Document information

More support for: WebSphere Application Server for z/OS
General

Software version: 800

Reference #: PI46156

Modified date: 13 April 2016