A fix is available
APAR status
Closed as program error.
Error description
During interoperability testing with enterprise bean lookup from WebSphere Application Server v6.1 to WebSphere Application Server v6.1, having 'CSIv2 inbound transport' set to "SSL-required", the IIOP port is being set to 0 in the calling server. Joblog (JESYSMSG) shows SSL-required set: BBOM0001I com_ibm_CSI_claimTransportAssocSSLTLSRequired: 1. BBOM0001I com_ibm_CSI_claimTransportAssocSSLTLSSupported: 0. The IIOP URL of "corbaloc:iiop:1.2@<server_group.net>:0/NameServiceServerRoot", with port=0. The Naming code then attempts to resolve this URL and fails because the port is 0. This results in CORBA::UNKNOWN exception. ===== Sample test case analysis ====== In the Servant Region, the last printout by the application shows: WAS Initial Context created now looking up cell/clusters/<cluster_name>/ejb/InteropEJBHome Then the exception gets thrown in the Servant Region: Trace: 2008/11/11 13:53:51.408 01 t=9B8870 c=UNK key=P8 (13007002) ThreadId: 00000021 FunctionName: com.ibm.ws.naming.util.Helpers SourceId: com.ibm.ws.naming.util.Helpers Category: WARNING ExtendedMessage: BBOO0221W: NMSV0610I: A NamingException is being thrown from a javax.naming.Context implementation. Details follow Backtracking in the Control Region from 13:53:51.408, can see the error is with the thread that processed the exception: Trace: 2008/11/11 13:53:50.629 01 t=9B5AD0 c=UNK key=S2 (0404800A) Description: ORBEJSBridge - sending back System Exception Method Name: ORBEJSBridge::invoke(void *) Rep Id: IDL:omg.org/CORBA/UNKNOWN:1.0 Class Name: CORBA::UNKNOWN Minor Code: -910010465 Completion Status: 1
Local fix
The server side's security setting for CSIv2 inbound transport should be set to SSL-supported instead of SSL-required: From Admin Console, navigate to: 1. Click Security > Secure administration, applications, and infrastructure. 2. Under Authentication, click RMI/IIOP security > CSIv2 inbound transport 3. Set Transport to SSL-Supported Please remember to Save / Synchronize and recycle the server. ----------------------------------------------------------- Changing just this CSIv2 inbound transport may generate a different error - CORBA.NO_PERMISSION. To fix this, change the RMI/IIOP outbound CSIv2 Outbound Authentication settings (either at this cell level, or over-ride for this server) to Client certificate authentication set to Supported. . * If you are doing this at a cell level: Admin Console > Security > Secure administration, applications, and infrastructure > RMI/IIOP security > CSIv2 outbound authentication > Client certificate authentication set to Supported. . Please remember to Save / Synchronize and recycle the server. . * If you are doing this at a server level: Admin Console > Servers > Application servers > WFS001C > Server security > Enable: "RMI/IIOP security for this server overrides the cell settings " > CSIv2 outbound authentication > Client certificate authentication set to Supported . Please remember to Save / Synchronize and recycle the server.
Problem summary
**************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V7.0 * **************************************************************** * PROBLEM DESCRIPTION: Federated bindings created by the * * name server to link to other servers * * cannot resolve when running with SSL. * **************************************************************** * RECOMMENDATION: * **************************************************************** The name server builds federated bindings in the name space which resolve to other servers. This allows lookups on objects in servers other than the one which the JNDI client is bootstrapped to. These bindings are created with URLs starting with corbaloc:dyn:. Those URLs cannot be resolve when the system is configured to use SSL. To fix the problem, we switched to corbaloc:iiop: URLs, same as those used on distributed platforms. With out the fix, names of the form cell/nodes/<node name>/servers/<server name>/<rest of name> or cell/clusters/<cluster name>/<rest of name> do not resolve successfully. DumpNameSpace output includes the federated binding URLs.
Problem conclusion
The name server now uses corbaloc:iiop: URLs instead of corbaloc:dyn: URLs. URLs of this form work in all situations. APAR PK82693 is currently targeted for inclusion in Service Level (Fix Pack) 7.0.0.3 of WebSphere Application Server V7.0. Please refer to URL: //www.ibm.com/support/docview.wss?rs=404&uid=swg27006970 for Fix Pack availability.
Temporary fix
Comments
APAR Information
APAR number
PK82693
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-03-16
Closed date
2009-03-20
Last modified date
2009-05-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
BBGUBINF BBOUBINF
Fix information
Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500
Applicable component levels
R700 PSY UK45160
UP09/04/06 P F904
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
10 February 2022