APAR status
Closed as program error.
Error description
The security context on an eXtreme Scale agent thread running in a WebSphere Application Server environment is always the security context of the server, instead of the context of the caller that made the agent invocation.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: Users of WebSphere eXtreme Scale who use * * the AgentManager function. * **************************************************************** * PROBLEM DESCRIPTION: When using an agent, the security * * context is not the caller context * * like it is with other ObjectMap * * operations. * **************************************************************** * RECOMMENDATION: * **************************************************************** When running in a WebSphere Application Server environment, threads must have a security context when security is enabled. The WebSphere eXtreme Scale runtime environment must specify a context when it runs a thread, to avoid security errors. Agents are an example of where the eXtreme Scale runtime uses a thread to do work. To have a security context on the thread, the system security context was used. When the work being run on the thread is initiated by user invocation, it is still using the system security context, instead of the user security context.
Problem conclusion
The code was changed to provide a way to configure the security context that is used on the client and the server for commands like those commands used for AgentManager. The default behavior is still to use the system identity, but you can specify the caller context to be used instead. To configure to use the caller security context, you must create a custom property at the cell, node, or server level in WebSphere Application Server. Usually you would create it at the cell level when running in a network deployment topology, and you would create it at the server level when running in a single server topology. If you create the property in more than one level, the precedence is server, node, cell. For example, the value of the property on the server overrides the value specified at the cell level. The property name is com.ibm.websphere.xs.security.command.runAsType. To run with the caller security context, specify a value of CALLER. To run with the system security context, specify a value of SYSTEM. When you start your application server you now see a message with a prefix of CWOBJ0072I that specifies which run as type is being used.
Temporary fix
Comments
APAR Information
APAR number
PM56163
Reported component name
XD EXTREME SCAL
Reported component ID
5724J3402
Reported release
710
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2012-01-17
Closed date
2012-02-03
Last modified date
2012-02-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
XD EXTREME SCAL
Fixed component ID
5724J3402
Applicable component levels
R710 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSTVLU","label":"WebSphere eXtreme Scale"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"710","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
23 September 2020