IBM Support

PM32461: DSRA7028E: YOU CANNOT USE THE TRUSTEDCONNECTIONMAPPING LOGIN CONFIGURATION WHEN THE THREADIDENTITY PROPERTY IS ENABLED.

Fixes are available

7.0.0.19: WebSphere Application Server V7.0 Fix Pack 19
8.0.0.1: WebSphere Application Server V8.0 Fix Pack 1
7.0.0.21: WebSphere Application Server V7.0 Fix Pack 21
8.0.0.2: WebSphere Application Server V8.0 Fix Pack 2
8.0.0.3: WebSphere Application Server V8.0 Fix Pack 3
7.0.0.23: WebSphere Application Server V7.0 Fix Pack 23
8.0.0.4: WebSphere Application Server V8.0 Fix Pack 4
7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
8.0.0.5: WebSphere Application Server V8.0 Fix Pack 5
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
8.0.0.6: WebSphere Application Server V8.0 Fix Pack 6
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
8.0.0.7: WebSphere Application Server V8.0 Fix Pack 7
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.19: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.21: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere
7.0.0.23: Java SDK 1.6 SR10 FP1 Cumulative Fix for WebSphere
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • 1) The DSRA7028E message occurs under this type of setup:
    
    Two applications are configured to use the same DB2 type 2
    datasource in WebSphere.
    
    The DB2 type 2 datasource is configured to use DB2 Trusted
    Context, and both applications resource references are
    configured to use DB2 Trusted Context.
    
    For example:
    ---------------------------------------------------
    Data sources > DB2 Universal JDBC Driver DataSource
    Mapping-configuration alias = TrustedConnectionMapping
    alias USER1/USER1
    
    Enterprise Applications > AppName > Resource references
    Authentication method:
    TrustedConnectionMapping
    Authentication data entry:
    SY1/USER1
    
    and
    
    Enterprise Applications > AppName > Resource references
    Authentication method:
    TrustedConnectionMapping
    Authentication data entry:
    SY1/USER1
    ----------------------------------------------------------
    
    The first application works correctly in that a DB2 Trusted
    connection is made under identity USER1, and the Java identity
    (ie. USER2) on the Java thread is used to access tables in DB2.
    
    An example DB2 display thread shows:
    ------------------------
    NAME     ST A   REQ ID           AUTHID   PLAN     ASID TOKEN
    DB2CALL  N        1              IBMUSER           0030     0
    RRSAF    TD      13 BBOS001S     USER2    ?RRSAF   004B    48
    V485-TRUSTED CONTEXT=CTX1,
    SYSTEM AUTHID=USER1,
    ROLE=*
    DISPLAY ACTIVE REPORT COMPLETE
    ------------------------
    
    Invoking the the second application that shares the datasource
    results in the following message.
    
    DSRA7028E: You cannot use the TrustedConnectionMapping login
    configuration when the ThreadIdentity property is enabled.
    
    2) The following symptoms can be noticed in the trace when
    the datasource is configured with a container-managed alias,
    but still thread identity gets picked up whcih can lead to
    SQLCODE = -551, SQLSTATE = 42501 when DB2 is used as the
    database server.
    
      FunctionName: com.ibm.ejs.j2c.ThreadIdentitySecurityHelper
      SourceId: com.ibm.ejs.j2c.ThreadIdentitySecurityHelper
      Category: FINEST
      ExtendedMessage: finalizeSubject(): No user identity was
    specifed. User identity has been defaulted to current thread
    identity
    ...
    ...
    [jcc][50053][12311][4.8.108] T2zOS exception:
    [jcc][T2zos]T2zosPreparedStatement.readPrepareDescribeOutput_:na
    tivePrepareInto:1563: DB2 engine SQL error, SQLCODE = -551,
    SQLSTATE = 42501,
    
    Another symptom of this problem can occur (a setup without DB2
    trusted context) is that if two applications using the same
    datasource, and container manager authentication alias does not
    get picked up, but rather the thread identity is used.
    

Local fix

  • Do not share the datasource between both applications.
    
    Create two datasources in WebSphere, and configure each
    application to use its own unique datasource.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server V7.0                                 *
    ****************************************************************
    * PROBLEM DESCRIPTION: Thread identity gets picked up          *
    *                      incorrectly though a container          *
    *                      authentication alias is set             *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When two applications share the same datasource
    and during he lookup of the datasource by the second
    application the WebSphere J2C code might skip certain
    initialization. Due to this the container alias that was
    defined may not get initialized and later the
    ThreadIdentitySecurityHelper code could not find the
    container authentication alias defined and thread identity was
    being picked up incorrectly.
    
    1) The following error message can be noticed when Trusted
    Connection Mapping was configured and thread identity gets
    picked up even when a container-managed alias is defined on the
    datasource.
    
    DSRA7028E: You cannot use the TrustedConnectionMapping login
    configuration when the ThreadIdentity property is enabled.
    
    2) The following messages can be noticed in the trace when
    the datasource is configured with a container-managed alias,
    but still thread identity gets picked up incorrectly which can
    lead to SQLCODE = -551, SQLSTATE = 42501 when DB2 is used as
    the database server.
    
    ExtendedMessage: finalizeSubject(): No user identity was
    specifed. User identity has been defaulted to current thread
    identity
    ...
    [jcc][50053][12311][4.8.108] T2zOS exception:
    [jcc][T2zos]T2zosPreparedStatement.readPrepareDescribeOutput_:na
    tivePrepareInto:1563: DB2 engine SQL error, SQLCODE = -551,
    SQLSTATE = 42501...
    

Problem conclusion

  • WebSphere J2C code has been fixed such that the initialization
    happens properly and thread identity not used when container
    authentication alias was set.
    
    APAR PM32461 is currently targeted for inclusion in Service
    Level (Fix Pack) 7.0.0.19 of WebSphere Application Server V7.0.
    
    Please refer to URL:
    //www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
    for Fix Pack availability.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM32461

  • Reported component name

    WEBSPHERE FOR Z

  • Reported component ID

    5655I3500

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2011-02-11

  • Closed date

    2011-03-23

  • Last modified date

    2011-10-04

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE FOR Z

  • Fixed component ID

    5655I3500

Applicable component levels

  • R700 PSY UK71280

       UP11/09/10 P F109

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: WebSphere Application Server for z/OS
General

Software version: 7.0

Reference #: PM32461

Modified date: 04 October 2011