IBM Support

PM56163: The WebSphere security context of the caller is not propagated to the eXtreme Scale agent thread.


You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • The security context on an eXtreme Scale agent
    thread running in a WebSphere Application Server
    environment is always the security context of
    the server, instead of the context of the caller that made the
    agent invocation.

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Users of WebSphere eXtreme Scale who use    *
    *                  the AgentManager function.                  *
    * PROBLEM DESCRIPTION: When using an agent, the security       *
    *                      context is not the caller context       *
    *                      like it is with other ObjectMap         *
    *                      operations.                             *
    * RECOMMENDATION:                                              *
    When running in a WebSphere Application Server environment,
    threads must have a security context when security is
    enabled.  The WebSphere eXtreme Scale runtime environment must
    specify a context when it runs a thread, to avoid security
    errors.  Agents are an example of where the eXtreme
    Scale runtime uses a thread to do work.  To have a
    security context on the thread, the system security context
    was used.  When the work being run on the thread is initiated
    by user invocation, it is still using the system security
    context, instead of the user security context.

Problem conclusion

  • The code was changed to provide a way to configure the
    security context that is used on the client and the server for
    commands like those commands used for AgentManager. The default
    behavior is still to use the system identity, but you can
    specify the caller context to be used instead.
    To configure to use the caller security context, you
    must create a custom property at the cell, node, or server
    level in WebSphere Application Server.  Usually you would create
    it at the cell level when running in a network deployment
    topology, and you would create it at the server level when
    running in a single server topology.  If you create the
    property in more than one level, the precedence is server,
    node, cell.  For example, the value of the property on the
    server overrides the value specified at the cell level.  The
    property name is  To run with
    the caller security context, specify a value of CALLER.  To
    run with the system security context, specify a value of
    SYSTEM.  When you start your application server you now see a
    message with a prefix of CWOBJ0072I that specifies
    which run as type is being used.

Temporary fix


APAR Information

  • APAR number


  • Reported component name


  • Reported component ID


  • Reported release


  • Status


  • PE




  • Special Attention


  • Submitted date


  • Closed date


  • Last modified date


  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name


  • Fixed component ID


Applicable component levels

  • R710 PSY


Document information

More support for: WebSphere eXtreme Scale

Software version: 710

Reference #: PM56163

Modified date: 03 February 2012

Translate this page: