Skip to main content

Software  >  WebSphere  >  

New JSSE support may require permission for new RACF profiles

 Flash (Alert)
 
Abstract
This issue affects servers configured to use Hardware Cryptography IBMJCECCA. After upgrade to WebSphere Application Server on z/OS V6.1 service level 6.1.0.23 and above (where Java™ 5 SR9 is shipped) or after migration to WebSphere Application Server on z/OS V7 service level 7.0.0.1 and above (where Java 6 SR3 is shipped), the server may fail to start.
 
Content
The following errors might be present in applyPTF.out or server output:


java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:618)
at com.ibm.ws.bootstrap.WSLauncher.main(WSLauncher.java:263)
Caused by: java.lang.RuntimeException: Hardware error from call CSNBRNG returnCode 8reasonCode 16000
at com.ibm.crypto.hdwrCCA.provider.SecureRandom.engineNextBytes(SecureRandom.java:97)
at java.security.SecureRandom.nextBytes(SecureRandom.java:433)
at java.security.SecureRandom.next(SecureRandom.java:455)
at java.util.Random.nextLong(Random.java:293)
at java.io.File.generateFile(File.java:1357)
at java.io.File.createTempFile(File.java:1466)
at java.io.File.createTempFile(File.java:1503)
at com.ibm.ws.console.plugin.core.HelpExtensionProcessor.generatePluginFromFragment(HelpExtensionProcessor.java:164)
...done running iscdeploy -restore


In the above message, the reason code 16000 means:
RACF failed your request to use this service.
User action: Contact your ICSF or RACF administrator if you need this service.

There is also this RACF error present:

ICH408I USER(DMGR ) GROUP(xxxxx ) NAME(WAS DMGR CR )
CSFRNGL CL(CSFSERV )
INSUFFICIENT ACCESS AUTHORITY
FROM * (G)
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )


Java 5 SR9 and Java 6 SR3 shipped new feature in the IBMJCECCA provider where if the CSNBRNGL service is available from ICSF, the RNGL service will be called. This was done to improve performance since the RNGL service is able to generate more random bytes at one time then the older CSNBRNG service.

With that, new RACF profiles may need to have permission added in order for the IBMJCECCA provider to work. You can add a generic profile using the following RACF commands:

SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV)
RDEFINE CSFSERV CSF* UACC(NONE)
PERMIT CSF* CLASS(CSFSERV) ID(xyz PUBLIC) ACCESS(READ)
SETROPTS CLASSACT(CSFSERV)
SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV) REFRESH

If you do not want to use wildcards and would rather give permission to individual profiles only, review this list of RACF profiles provided in the table under the following link:

http://www.ibm.com/servers/eserver/zseries/software/java/products/j6jcecca.html

 
 
 

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Rate this page
Please take a moment to complete this form to help us better serve you.
This material provides me with the information I need.




This material is clear and easy to understand.




Did the information help you to achieve your goal?
What updates, improvements, or related information would you like to see in this document?
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.
Input the verification number to submit feedback:
Document information
 Product categories:
 Software
 Application Servers
 Distributed Application & Web Servers
 WebSphere Application Server for z/OS
 Java Security (JSSE/JCE)
 Operating system(s):
  z/OS
 Software version:
  6.1, 7.0
 Reference #:
  1399251
 IBM Group:
 Software Group
 Modified date:
 2009-10-14

Translate My Page
 
 

Rate this page

Help us improve this page. Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.