PK52057: FIX CREDENTIALS REQUIRED FOR THE THREAD DURING TRANSACTION RECOVERY

Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR10 Cumulative Fix for WebSphere Application Server
6.1.0.31: Java SDK 1.5 SR11 FP1 Cumulative Fix for WebSphere Application Server
6.1.0.33: Java SDK 1.5 SR12 FP1 Cumulative Fix for WebSphere
6.1.0.29: Java SDK 1.5 SR11 Cumulative Fix for WebSphere Application Server
6.1.0.35: Java SDK 1.5 SR12 FP2 Cumulative Fix for WebSphere
6.1.0.37: Java SDK 1.5 SR12 FP3 Cumulative Fix for WebSphere
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server

APAR status

• Closed as program error.

Error description

• Fix credentials required for the thread during TX recovery
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: IBM WebSphere Application Server users of    *
  *                 JDBC and JCA.                                *
  ****************************************************************
  * PROBLEM DESCRIPTION: A RoleBasedAppException occurs during   *
  *                      transaction recovery indicating the     *
  *                      thread lacks the required accessId of   *
  *                      the caller.  The exception causes the   *
  *                      transaction to not recover.             *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  The RoleBasedAppException occurs because the thread performing
  tranaction recovery lacks the accessId, which the user
  presumably mapped to an Administrative security role, to read
  (monitor) the server configuration.  The exception occurs
  while the connection manager determines whether a resource
  provider is installed on the server.  Here is an example of a
  RoleBasedAppException that may occur:
  
  [8/16/07 10:26:18:413 EEST] 00000086 RoleBasedAuth E   SECJ0306E
  : No received or invocation credential exist on the thread. The
  Role based authorization check will not have an accessId of the
  caller to check. The parameters are: access check method
  queryConfigObjects:com.ibm.websphere.management.Session:
  javax.management.ObjectName:javax.management.ObjectName:
  javax.management.QueryExp on resource ConfigService and module
  ConfigService.
  The stack trace is
  java.lang.Exception: Invocation and received credentials are
  both null
   at com.ibm.ws.security.role.RoleBasedAuthorizerImpl.checkAccess
  (RoleBasedAuthorizerImpl.java:251)
   at com.ibm.ws.management.configservice.ConfigServiceServerProxy
  .securityCheck(ConfigServiceServerProxy.java:1022)
   at com.ibm.ws.management.configservice.ConfigServiceServerProxy
  $10.run(ConfigServiceServerProxy.java:406)
   at com.ibm.ws.security.util.AccessController.doPrivileged(Acces
  sController.java(Compiled Code))
   at com.ibm.ws.management.configservice.ConfigServiceServerProxy
  .queryConfigObjects(ConfigServiceServerProxy.java:401)
   at com.ibm.ejs.j2c.RALifeCycleManagerImpl.isProviderInstalled(R
  ALifeCycleManagerImpl.java:2688)
   at com.ibm.ws.Transaction.JTA.ASXAResourceFactoryImpl.getXAReso
  urce(ASXAResourceFactoryImpl.java:85)
   at com.ibm.ws.Transaction.JTA.JTAXAResourceImpl.reconnectRM(JTA
  XAResourceImpl.java:604)
   at com.ibm.ws.Transaction.JTA.JTAXAResourceImpl.commit(JTAXARes
  ourceImpl.java:300)
   at com.ibm.ws.Transaction.JTA.RegisteredResources.deliverOutcom
  e(RegisteredResources.java:1961)
   at com.ibm.ws.Transaction.JTA.RegisteredResources.distributeOut
  come(RegisteredResources.java:2464)
   at com.ibm.ws.Transaction.JTA.TransactionImpl$RetryAlarm.alarm(
  TransactionImpl.java:5146)
   at com.ibm.ejs.util.am._Alarm.run(_Alarm.java(Compiled Code))
   at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1471).
  [8/16/07 10:26:18:414 EEST] 00000086 RoleBasedAuth A   SECJ0305I
  : The role-based authorization check failed for admin-authz
  operation ConfigService:queryConfigObjects:com.ibm.websphere
  .management.Session:
  javax.management.ObjectName:javax.management.ObjectName:
  javax.management.QueryExp.
  The user UNAUTHENTICATED (unique ID: unauthenticated) was not
  granted any of the following required roles: administrator,
  operator, monitor, configurator.
  [8/16/07 10:26:18:415 EEST] 00000086 RALifeCycleMa E
  J2CA0154E: The method queryConfigObjects on class
  ConfigService returned the following exception:
  com.ibm.websphere.management.exception.ConfigServiceException:
  com.ibm.ws.security.role.RoleBasedAppException: ADMN0022E:
  Access is denied for the queryConfigObjects operation on
  ConfigService MBean because of insufficient or empty
  credentials.
   at com.ibm.ws.management.configservice.ConfigServiceServerProxy
  $10.run(ConfigServiceServerProxy.java:408)
   at com.ibm.ws.security.util.AccessController.doPrivileged(Acces
  sController.java(Compiled Code))
   at com.ibm.ws.management.configservice.ConfigServiceServerProxy
  .queryConfigObjects(ConfigServiceServerProxy.java:401)
   at com.ibm.ejs.j2c.RALifeCycleManagerImpl.isProviderInstalled(R
  ALifeCycleManagerImpl.java:2688)
   at com.ibm.ws.Transaction.JTA.ASXAResourceFactoryImpl.getXAReso
  urce(ASXAResourceFactoryImpl.java:85)
   at com.ibm.ws.Transaction.JTA.JTAXAResourceImpl.reconnectRM(JTA
  XAResourceImpl.java:604)
   at com.ibm.ws.Transaction.JTA.JTAXAResourceImpl.commit(JTAXARes
  ourceImpl.java:300)
   at com.ibm.ws.Transaction.JTA.RegisteredResources.deliverOutcom
  e(RegisteredResources.java:1961)
   at com.ibm.ws.Transaction.JTA.RegisteredResources.distributeOut
  come(RegisteredResources.java:2464)
   at com.ibm.ws.Transaction.JTA.TransactionImpl$RetryAlarm.alarm(
  TransactionImpl.java:5146)
   at com.ibm.ejs.util.am._Alarm.run(_Alarm.java(Compiled Code))
   at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1471)
  

Problem conclusion

• Apply APAR PK52057 to modify the connection manager to
  associate the required accessId to the thread when reading
  the server configuration during transaction recovery.
  
  The fix for this APAR is currently targeted for inclusion
  in fix pack 6.1.0.15.
  Please refer to the recommended updates page for delivery
  information:
  http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  WEBS APP SERV N

• Fixed component ID

  5724H8800

Applicable component levels

• R61A PSY

     UP

• R61H PSY

     UP

• R61I PSY

     UP

• R61P PSY

     UP

• R61S PSY

     UP

• R61W PSY

     UP

• R61Z PSY

     UP