Troubleshooting
Problem
Websphere Application Server application users will experience a performance degradation when security is turned on. org.omg.CORBA_2_3.portable.OutputStream subclassing has been restricted as a result of a Security Vulnerability. Any attempt by the application to subclass org.omg.CORBA_2_3.portable.OutputStream will result in a Security Exception being thrown.
Symptom
WebSphere Application Server users are affected on all platforms if:
- the application is making use of RMI-IIOP calls (typically EJB applications) AND
- JAVA security enabled, AND
- running JAVA versions listed below.
JDK Releases where the security fix is published and where you may see this problem.
142 SR13
150 SR16 FP3
160 SR14
626 SR6
170 SR5
A possible Exception which application users might see, if they directly or indirectly subclass the org.omg.CORBA_2_3.portable.OutputStream is:
Exception in thread "main" java.security.AccessControlException: Access denied ("java.io.SerializablePermission" "enableSubclassImplementation")
at java.security.AccessController.throwACE(AccessController.java:100)
at java.security.AccessController.checkPermission(AccessController.java:174)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:551)
at org.omg.CORBA_2_3.portable.OutputStream.<init>(OutputStream.java:73)
Cause
The performance dip is attributed to the addition of security checks within the ORB code to check for the required permission when an OutputStream subclass instance is created/requested.
Environment
Websphere Application Server users, making use of RMI-IIOP calls with security turned on
Diagnosing The Problem
The performance impact due to this issue will differ from environment to environment. A throughput measurement of an application, with and without security enabled can help in assessing the performance degradation.
Resolving The Problem
Resolving the Security Exception
Application users need to have the appropriate permission ("enableSubclassImplementation" SerializablePermission) granted in their policy file, when security is enabled, if the application attempts to subclass org.omg.CORBA_2_3.portable.OutputStream.
Temporary workaround for the performance degradation
If users wish to revert back to the non-secure mode, when JAVA security is turned on, the System property "jdk.corba.allowOutputStreamSubclass" needs to be set to "true".
It is to be noted that the System property "jdk.corba.allowOutputStreamSubclass" is subject to removal in the future releases.
Setting the System property to true will make sure that there is no performance degradation. Granting a permission in the policy file will still incur permission checks and hence there will be degradation.
Refer to the following InfoCenter articles on setting JVM options on z/OS:
WAS z/OS V8.5 InfoCenter article "Java virtual machine custom properties"
WAS z/OS V8.0 InfoCenter article "Java virtual machine custom properties"
WAS z/OS V7.0 InfoCenter article "Java virtual machine custom properties"
WAS z/OS V6.1 InfoCenter article "Java virtual machine custom properties"
Refer to the following InfoCenter articles on setting JVM options on distributed platforms:
WAS V8.5 InfoCenter article "Java virtual machine custom properties"
WAS V8.0 InfoCenter article "Java virtual machine custom properties"
WAS V7.0 InfoCenter article "Java virtual machine custom properties"
WAS V6.1 InfoCenter article "Java virtual machine custom properties"
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21661687