IBM Support

PK43980: SECJ0305I, ADMN0022E EXCEPTIONS IN DMGR AND NODE AGENT DURING DMGR SHUTDOWN.

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • WebSphere Application Server zOS, Deployment Manager control
region sometimes takes the following security exception when the
Node Agent which is shutting down sends a
'StatusCache:placeReport' mbean management call to the DMGR
without security credentials.

Exception in Deployment Manager control region....

Trace: 2007/03/05 16:06:41.653 01 t=9C1CF0 c=UNK key=S2
(13007002)
ThreadId: 00000039
FunctionName: com.ibm.ws.security.role.RoleBasedAuthorizerImpl
SourceId: com.ibm.ws.security.role.RoleBasedAuthorizerImpl
Category: AUDIT
ExtendedMessage: BBOO0222I: SECJ0305I: The role-based
authorization check failed for admin-authz operation
StatusCache:placeReport :com.ibm.ws.management.status.
StatusReport.  The user UNAUTHENTICATED  unique ID:
UNAUTHENTICATED) was not granted any of the following required
roles: administrator, operator.

This happens when the Node Agent is sending the mbean
(statusCache) request to the DMGR, too late in the process of
his shutdown.

At the time when the Nodeagent sends this request, Security
service of the Node Agent is already STOPPED and the Node agent
process itself is in a 'STOPPED' state, which explains the
empty credentials on the mbean request to the DMGR.

You will see the following error in the Node agent for the
failing mbean request.

Trace: 2007/03/05 16:06:42.312 01 t=9C4828 c=UNK key=S2
(13007002)
ThreadId: 00000028
FunctionName: handleAdminFault
SourceId:
com.ibm.ws.management.connector.soap.SOAPConnectorClient
Category: FINER
ExtendedMessage: Exit; javax.management.JMRuntimeException:
ADMN0022E: Access is denied for the placeReport operation on
StatusCache MBean because of insufficient or empty credentials.

This error is intermittent.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V6.0.1 for z/OS                              *
****************************************************************
* PROBLEM DESCRIPTION: The WebSphere Application Server z/OS   *
*                      Deployment Manager control region       *
*                      sometimes takes a BBOO0222I: SECJ0305I  *
*                      security exception when the Node Agent  *
*                      is shutting down and sends a            *
*                      'StatusCache:placeReport' mbean         *
*                      management call to the DMGR without     *
*                      security credentials.                   *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
WebSphere Application Server zOS, Deployment Manager control
region sometimes takes the following security exception when
the Node Agent which is shutting down sends a
'StatusCache:placeReport' mbean management call to the DMGR
without security credentials.

Exception in Deployment Manager control region....

Trace: 2007/03/05 16:06:41.653 01 t=9C1CF0 c=UNK key=S2
(13007002)
ThreadId: 00000039
FunctionName: com.ibm.ws.security.role.RoleBasedAuthorizerImpl
SourceId: com.ibm.ws.security.role.RoleBasedAuthorizerImpl
Category: AUDIT
ExtendedMessage: BBOO0222I: SECJ0305I: The role-based
authorization check failed for admin-authz operation
StatusCache:placeReport :com.ibm.ws.management.status.
StatusReport.  The user UNAUTHENTICATED  unique ID:
(UNAUTHENTICATED) was not granted any of the following required
roles: administrator, operator.

This happens when the Node Agent is sending the mbean
(statusCache) request to the DMGR, too late in the process of
his shutdown.

At the time when the Nodeagent sends this request, Security
service of the Node Agent is already STOPPED and the Node agent
process itself is in a 'STOPPED' state, which explains the
empty credentials on the mbean request to the DMGR.

Trace: 2007/03/05 16:06:41.515 01 t=9C4828 c=UNK key=S2
(13007002)
   ThreadId: 00000028

   FunctionName:
com.ibm.ws.management.status.NodeAgentStatusCache
   SourceId: com.ibm.ws.management.status.NodeAgentStatusCache

   Category: FINEST

   ExtendedMessage: Invoking placeReport:

WebSphere:name=StatusCache,process=dmgr,platform=common,
node=d1dmn,version=6.1.0.5,type=StatusCache,
mbeanIdentifier=StatusCache,cell=d1cell,spec=1.0

and you will see the following error in the Node agent for the
failing mbean request.

Trace: 2007/03/05 16:06:42.312 01 t=9C4828 c=UNK key=S2
(13007002)
ThreadId: 00000028
FunctionName: handleAdminFault
SourceId:
com.ibm.ws.management.connector.soap.SOAPConnectorClient
Category: FINER
ExtendedMessage: Exit; javax.management.JMRuntimeException:
ADMN0022E: Access is denied for the placeReport operation on
StatusCache MBean because of insufficient or empty credentials.

BBOO0220E: SECJ0306E: No received or invocation credential
exist on the thread. The Role based authorization check will
not have an accessId of the caller to check. The parameters
are:   access check method  placeReport:com.ibm.ws.management.
status.StatusReport on resource StatusCache and module
StatusCache. The stack   trace is java.lang.Exception:
Invocation and received credentials are both null
at
com.ibm.ws.security.role.RoleBasedAuthorizerImpl.checkAccess...
com.ibm.ws.management.AdminServiceImpl.preInvoke(...)
com.ibm.ws.management.AdminServiceImpl.access$400(...)
.
.
.

This error is intermittent.

    



Problem conclusion


    

  • The code has been modified to properly handle the
StatusCache:PlaceReport when the security service event
is shutting down.

APAR PK43980 is currently targeted for inclusion in Service
Level (Fix Pack) 6.0.2.27 of WebSphere Application Server V6.0.1
for z/OS.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PK43980
    • 

  • Reported component name
    WEBSPHERE FOR Z
    • 

  • Reported component ID
    5655I3500
    • 

  • Reported release
    601
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2007-04-25
    • 

  • Closed date
    2007-09-24
    • 

  • Last modified date
    2008-05-05
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    
PK43608
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBSPHERE FOR Z
    • 

  • Fixed component ID
    5655I3500
    • 



Applicable component levels


    

  • R601  PSY  UK35173
       UP08/04/18  P  F804
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            10 February 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback