APAR status
Closed as program error.
Error description
Fix credentials required for the thread during transaction recovery (for V6.0.2)
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * Java DataBase Connectivity (JDBC) and J2EE * * Connector Architecture (JCA) * * * **************************************************************** * PROBLEM DESCRIPTION: A RoleBasedAppException occurs during * * transaction recovery indicating the * * thread lacks the required accessId of * * the caller. * **************************************************************** * RECOMMENDATION: * **************************************************************** A RoleBasedAppException occurs during transaction recovery indicating the thread lacks the required accessId of the caller. The exception causes the transaction to not recover. The RoleBasedAppException occurs because the thread performing tranaction recovery lacks the accessId, which the user presumably mapped to an Administrative security role, to read (monitor) the server configuration. The exception occurs while the connection manager determines whether a resource provider is installed on the server. Here is an example of a RoleBasedAppException that may occur: [8/16/07 10:26:18:413 EEST] 00000086 RoleBasedAuth E SECJ0306E : No received or invocation credential exist on the thread. The Role based authorization check will not have an accessId of the caller to check. The parameters are: access check method queryConfigObjects:com.ibm.websphere.management.Session: javax.management.ObjectName:javax.management.ObjectName: javax.management.QueryExp on resource ConfigService and module ConfigService. The stack trace is java.lang.Exception: Invocation and received credentials are both null at com.ibm.ws.security.role.RoleBasedAuthorizerImpl.checkAccess (RoleBasedAuthorizerImpl.java:251) at com.ibm.ws.management.configservice.ConfigServiceServerProxy .securityCheck(ConfigServiceServerProxy.java:1022) at com.ibm.ws.management.configservice.ConfigServiceServerProxy $10.run(ConfigServiceServerProxy.java:406) at com.ibm.ws.security.util.AccessController.doPrivileged(Acces sController.java(Compiled Code)) at com.ibm.ws.management.configservice.ConfigServiceServerProxy .queryConfigObjects(ConfigServiceServerProxy.java:401) at com.ibm.ejs.j2c.RALifeCycleManagerImpl.isProviderInstalled(R ALifeCycleManagerImpl.java:2688) at com.ibm.ws.Transaction.JTA.ASXAResourceFactoryImpl.getXAReso urce(ASXAResourceFactoryImpl.java:85) at com.ibm.ws.Transaction.JTA.JTAXAResourceImpl.reconnectRM(JTA XAResourceImpl.java:604) at com.ibm.ws.Transaction.JTA.JTAXAResourceImpl.commit(JTAXARes ourceImpl.java:300) at com.ibm.ws.Transaction.JTA.RegisteredResources.deliverOutcom e(RegisteredResources.java:1961) at com.ibm.ws.Transaction.JTA.RegisteredResources.distributeOut come(RegisteredResources.java:2464) at com.ibm.ws.Transaction.JTA.TransactionImpl$RetryAlarm.alarm( TransactionImpl.java:5146) at com.ibm.ejs.util.am._Alarm.run(_Alarm.java(Compiled Code)) at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1471). [8/16/07 10:26:18:414 EEST] 00000086 RoleBasedAuth A SECJ0305I : The role-based authorization check failed for admin-authz operation ConfigService:queryConfigObjects:com.ibm.websphere .management.Session: javax.management.ObjectName:javax.management.ObjectName: javax.management.QueryExp. The user UNAUTHENTICATED (unique ID: unauthenticated) was not granted any of the following required roles: administrator, operator, monitor, configurator. [8/16/07 10:26:18:415 EEST] 00000086 RALifeCycleMa E J2CA0154E: The method queryConfigObjects on class ConfigService returned the following exception: com.ibm.websphere.management.exception.ConfigServiceException: com.ibm.ws.security.role.RoleBasedAppException: ADMN0022E: Access is denied for the queryConfigObjects operation on ConfigService MBean because of insufficient or empty credentials. at com.ibm.ws.management.configservice.ConfigServiceServerProxy $10.run(ConfigServiceServerProxy.java:408) at com.ibm.ws.security.util.AccessController.doPrivileged(Acces sController.java(Compiled Code)) at com.ibm.ws.management.configservice.ConfigServiceServerProxy .queryConfigObjects(ConfigServiceServerProxy.java:401) at com.ibm.ejs.j2c.RALifeCycleManagerImpl.isProviderInstalled(R ALifeCycleManagerImpl.java:2688) at com.ibm.ws.Transaction.JTA.ASXAResourceFactoryImpl.getXAReso urce(ASXAResourceFactoryImpl.java:85) at com.ibm.ws.Transaction.JTA.JTAXAResourceImpl.reconnectRM(JTA XAResourceImpl.java:604) at com.ibm.ws.Transaction.JTA.JTAXAResourceImpl.commit(JTAXARes ourceImpl.java:300) at com.ibm.ws.Transaction.JTA.RegisteredResources.deliverOutcom e(RegisteredResources.java:1961) at com.ibm.ws.Transaction.JTA.RegisteredResources.distributeOut come(RegisteredResources.java:2464) at com.ibm.ws.Transaction.JTA.TransactionImpl$RetryAlarm.alarm( TransactionImpl.java:5146) at com.ibm.ejs.util.am._Alarm.run(_Alarm.java(Compiled Code)) at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1471)
Problem conclusion
This is a backport of apar PK52057. PK52057 makes the following change: modify the connection manager to associate the required accessId to the thread when reading the server configuration during transaction recovery. The fix for this APAR is currently targeted for inclusion in fix pack 6.0.2.33. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PK68681
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
60I
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2008-07-08
Closed date
2008-09-29
Last modified date
2008-09-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R60A PSY
UP
R60H PSY
UP
R60I PSY
UP
R60P PSY
UP
R60S PSY
UP
R60W PSY
UP
R60Z PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
10 February 2022