APAR status
Closed as new function.
Error description
Depending on the RACF LDAP configuration, when a user is not found by an ldap search, RACF LDAP returns javax.naming.NamingException instead of an empty result causing SECJ0352E. [7/11/22 5:31:45:358 CEST] 00000001 LdapRegistryI E SECJ0352E: Could not get the users matching the pattern deAdmin because of the following exception javax.naming.NamingException: [LDAP: error code 80 - ICH31005I NO ENTRIES MEET SEARCH CRITERIA]; remaining name 'racfdb=MVS1' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3315) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3217) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3008) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1887) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1810) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Compo nentDirContext.java:404) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search( PartialCompositeDirContext.java:370) at org.apache.aries.jndi.DelegateContext.search(DelegateContex t.java:360) at javax.naming.directory.InitialDirContext.search(InitialDirC ontext.java:287) at com.ibm.ws.security.registry.ldap.LdapRegistryImpl.performA uthentication(LdapRegistryImpl.java:2391) at com.ibm.ws.security.registry.ldap.LdapRegistryImpl.search(L dapRegistryImpl.java:2362) at com.ibm.ws.security.registry.ldap.LdapRegistryImpl.search(L dapRegistryImpl.java:2298) at com.ibm.ws.security.registry.ldap.LdapRegistryImpl.search(L dapRegistryImpl.java:2292) at com.ibm.ws.security.registry.ldap.LdapRegistryImpl.getUsers (LdapRegistryImpl.java:1469)
Local fix
The LDAP behavior can be controlled by the following settings. (basic) https://www.ibm.com/docs/en/zos/2.4.0?topic=behavior-sdbm-sear ch-capabilities
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * * who configured Standalone LDAP or Federated * * repository with RACF LDAP * **************************************************************** * PROBLEM DESCRIPTION: SystemOut.log is flooded with SECJ0352E * * with ICH31005I message * **************************************************************** * RECOMMENDATION: * **************************************************************** SystemOut.log is flooded with SECJ0352E with ICH31005I message. This is due to RACF LDAP returning ICH31005I error when no user is found for the search criteria. Refer to the following link for more information about RACF LDAP SDBM legacy search: https://www.ibm.com/docs/en/zos/2.4.0?topic=behavior-sdbm- search-capabilities
Problem conclusion
An option has been introduced to make WebSphere handle javax.naming.NamingException embedding ICH31005I as an empty result: "user not found" To activate the behavior, from the Administrative console, Global security > Custom properties, set the property and the value as follows. Name: com.ibm.websphere.security.ldap.suppressICH31005I Value: true (The default value is false) The fix for this APAR is targeted for inclusion in fix pack 8.5.5.23 and 9.0.5.14. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH49180
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-08-31
Closed date
2022-09-16
Last modified date
2022-09-16
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
17 September 2022