Troubleshooting
Problem
Websphere Application Server application users will experience a performance degradation when security is turned on. org.omg.CORBA_2_3.portable.InputStream subclassing has been restricted as a result of a Security Vulnerability. Any attempt by the application to subclass org.omg.CORBA_2_3.portable.InputStream will result in a Security Exception being thrown.
Symptom
WebSphere Application Server users are affected on all platforms if:
- the application is making use of RMI-IIOP calls (typically EJB applications) AND
- JAVA security enabled, AND
- running JAVA versions listed below.
Websphere Application Server Versions where the fix is present
- WAS 8.5.5.2
- WAS 8.0.0.9
- WAS 7.0.0.33
Note: The versions indicated under the "Software Version" section on the right hand side are the minimum versions where the customer should be at. The above mentioned versions are the exact versions.
JDK Releases where the security fix is published and where you may see this problem.
- 727 SR1
- 7.0 SR6 FP1
- 626 SR7 FP1
- 6.0 SR15 FP1
- 5.0 SR16 FP5
A possible Exception which application users might see, if they directly or indirectly subclass the org.omg.CORBA_2_3.portable.InputStream is:
Exception in thread "main" java.security.AccessControlException: Access denied ("java.io.SerializablePermission" "enableSubclassImplementation")
at java.security.AccessController.throwACE(AccessController.java:100)
at java.security.AccessController.checkPermission(AccessController.java:174)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:551)
at org.omg.CORBA_2_3.portable.InputStream.<init>(InputStream.java:70)
Cause
The performance dip is attributed to the addition of security checks within the ORB code to check for the required permission when an InputStream subclass instance is created/requested.
Diagnosing The Problem
The performance impact due to this issue will differ from environment to environment. A throughput measurement of an application, with and without security enabled, can help in assessing the performance degradation.
Resolving The Problem
Resolving the Security Exception
Application users need to have the appropriate permission ("enableSubclassImplementation" SerializablePermission) granted in their policy file, when security is enabled, if the application attempts to subclass org.omg.CORBA_2_3.portable.InputStream.
Temporary workaround for the performance degradation
If users wish to revert back to the non-secure mode, when JAVA security is turned on, the System property "jdk.corba.allowInputStreamSubclass" needs to be set to "true".
Note: System property "jdk.corba.allowInputStreamSubclass" is subject to removal in the future Java releases.
Setting the System property to true will make sure that there is no performance degradation. Granting a permission in the policy file will still incur permission checks and hence there will be degradation.
Refer to the following InfoCenter articles on setting JVM options on z/OS:
WAS z/OS V8.5 InfoCenter article "Java virtual machine custom properties"
WAS z/OS V8.0 InfoCenter article "Java virtual machine custom properties"
WAS z/OS V7.0 InfoCenter article "Java virtual machine custom properties"
WAS z/OS V6.1 InfoCenter article "Java virtual machine custom properties"
Refer to the following InfoCenter articles on setting JVM options on distributed platforms:
WAS V8.5 InfoCenter article "Java virtual machine custom properties"
WAS V8.0 InfoCenter article "Java virtual machine custom properties"
WAS V7.0 InfoCenter article "Java virtual machine custom properties"
WAS V6.1 InfoCenter article "Java virtual machine custom properties"
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21661691