Fixes are available
16.0.0.3: WebSphere Application Server Liberty 16.0.0.3
16.0.0.4: WebSphere Application Server Liberty 16.0.0.4
17.0.0.1: WebSphere Application Server Liberty 17.0.0.1
17.0.0.2: WebSphere Application Server Liberty 17.0.0.2
17.0.0.3: WebSphere Application Server Liberty 17.0.0.3
17.0.0.4: WebSphere Application Server Liberty 17.0.0.4
18.0.0.1: WebSphere Application Server Liberty 18.0.0.1
18.0.0.2: WebSphere Application Server Liberty 18.0.0.2
18.0.0.3: WebSphere Application Server Liberty 18.0.0.3
18.0.0.4: WebSphere Application Server Liberty 18.0.0.4
19.0.0.1: WebSphere Application Server Liberty 19.0.0.1
19.0.0.2: WebSphere Application Server Liberty 19.0.0.2
19.0.0.3: WebSphere Application Server Liberty 19.0.0.3
19.0.0.4: WebSphere Application Server Liberty 19.0.0.4
19.0.0.5: WebSphere Application Server Liberty 19.0.0.5
19.0.0.6: WebSphere Application Server Liberty 19.0.0.6
19.0.0.7: WebSphere Application Server Liberty 19.0.0.7
19.0.0.8: WebSphere Application Server Liberty 19.0.0.8
19.0.0.9: WebSphere Application Server Liberty 19.0.0.9
19.0.0.10: WebSphere Application Server Liberty 19.0.0.10
19.0.0.11: WebSphere Application Server Liberty 19.0.0.11
19.0.0.12: WebSphere Application Server Liberty 19.0.0.12
20.0.0.1: WebSphere Application Server Liberty 20.0.0.1
20.0.0.2: WebSphere Application Server Liberty 20.0.0.2
20.0.0.3: WebSphere Application Server Liberty 20.0.0.3
20.0.0.4: WebSphere Application Server Liberty 20.0.0.4
20.0.0.5: WebSphere Application Server Liberty 20.0.0.5
20.0.0.6: WebSphere Application Server Liberty 20.0.0.6
20.0.0.7: WebSphere Application Server Liberty 20.0.0.7
20.0.0.8: WebSphere Application Server Liberty 20.0.0.8
20.0.0.9: WebSphere Application Server Liberty 20.0.0.9
20.0.0.10: WebSphere Application Server Liberty 20.0.0.10
20.0.0.11: WebSphere Application Server Liberty 20.0.0.11
20.0.0.12: WebSphere Application Server Liberty 20.0.0.12
21.0.0.3: WebSphere Application Server Liberty 21.0.0.3
21.0.0.4: WebSphere Application Server Liberty 21.0.0.4
21.0.0.5: WebSphere Application Server Liberty 21.0.0.5
21.0.0.6: WebSphere Application Server Liberty 21.0.0.6
21.0.0.7: WebSphere Application Server Liberty 21.0.0.7
21.0.0.8: WebSphere Application Server Liberty 21.0.0.8
21.0.0.9: WebSphere Application Server Liberty 21.0.0.9
21.0.0.1: WebSphere Application Server Liberty 21.0.0.1
21.0.0.2: WebSphere Application Server Liberty 21.0.0.2
21.0.0.10: WebSphere Application Server Liberty 21.0.0.10
21.0.0.11: WebSphere Application Server Liberty 21.0.0.11
21.0.0.12: WebSphere Application Server Liberty 21.0.0.12
22.0.0.1: WebSphere Application Server Liberty 22.0.0.1
22.0.0.2: WebSphere Application Server Liberty 22.0.0.2
22.0.0.3: WebSphere Application Server Liberty 22.0.0.3
22.0.0.4: WebSphere Application Server Liberty 22.0.0.4
APAR status
Closed as program error.
Error description
The z/OS server has UNIXPRIV class active for resource RESTRICTED.FILESYS.ACCESS An Application running in a Liberty z/OS server with syncToOSThread enabled calling HttpServletRequest.login surfaces error: MVS console: ICH408I USER(WSGUEST ) GROUP(WSCLGP ) NAME(WAS DFLT USER) /WebSphere/Liberty/wlp/lib/com.ibm.ws.security.registry.saf_ 1.0. 12.jar CL(DIRSRCH ) FID(0003E565001148D10000000000000000) INSUFFICIENT AUTHORITY TO STAT ACCESS INTENT(--X) ACCESS ALLOWED(RESTRICTED ---) EFFECTIVE UID(0000002402) EFFECTIVE GID(0000002502) E CWWKE0701E: FrameworkEvent ERROR Bundle:com.ibm.ws.security.registry.saf(id=100) java.io.IOException: Exception in opening zip file: /WebSphere/Liberty/wlp/lib/com.ibm.ws.security.registry.saf_ 1.0 .12.jar messages.log shows: /WebSphere/Liberty/wlp/lib/com.ibm.ws.security.registry.saf_ 1.0. 12.jar org.eclipse.osgi.framework.util.SecureAction.getZipFile org.eclipse.osgi.storage.bundlefile.ZipBundleFile.basicOpen org.eclipse.osgi.storage.bundlefile.ZipBundleFile.getZipFile org.eclipse.osgi.storage.bundlefile.ZipBundleFile.checkedOpe n org.eclipse.osgi.storage.bundlefile.ZipBundleFile.getEntry org.eclipse.osgi.storage.bundlefile.BundleFileWrapper.getEnt ry com.ibm.cds.CDSBundleFile.getEntry org.eclipse.osgi.storage.bundlefile.BundleFileWrapper.getEnt ry org.eclipse.osgi.internal.loader.classpath.ClasspathManager. find ClassImpl org.eclipse.osgi.internal.loader.classpath.ClasspathManager. find LocalClassImpl org.eclipse.osgi.internal.loader.classpath.ClasspathManager. find LocalClass org.eclipse.osgi.internal.loader.ModuleClassLoader.findLocal Clas org.eclipse.osgi.internal.loader.BundleLoader.findLocalClass org.eclipse.osgi.internal.loader.BundleLoader.findClassInter nal org.eclipse.osgi.internal.loader.BundleLoader.findClass org.eclipse.osgi.internal.loader.BundleLoader.findClass org.eclipse.osgi.internal.loader.ModuleClassLoader.loadClass java.lang.ClassLoader.loadClass java.util.ResourceBundle$Control.newBundle java.util.ResourceBundle.loadBundle java.util.ResourceBundle.findBundle java.util.ResourceBundle.findBundle java.util.ResourceBundle.findBundl java.util.ResourceBundle.findBundle java.util.ResourceBundle.getBundleImpl java.util.ResourceBundle.getBundl com.ibm.ws.logging.internal.TraceNLSResolver.getResourceBund le com.ibm.ws.logging.internal.TraceNLSResolver.getResourceBund le com.ibm.ws.logging.internal.WsLogRecord.getResourceBundle com.ibm.ws.logging.internal.impl.BaseTraceFormatter.formatMe ssag com.ibm.ws.logging.internal.impl.BaseTraceFormatter.formatMe ssag com.ibm.ws.logging.internal.impl.BaseTraceService.publishLog Reco com.ibm.ws.logging.internal.impl.BaseTraceService.info( com.ibm.websphere.ras.Tr.info com.ibm.ws.security.registry.saf.internal.SAFRegistry.issueA ctiv ationMessage com.ibm.ws.security.registry.saf.internal.SAFAuthorizedRegis try. checkPassword com.ibm.ws.security.authentication.jaas.modules.UsernameAndP assw ordLoginModule.login com.ibm.ws.kernel.boot.security.LoginModuleProxy.login sun.reflect.NativeMethodAccessorImpl.invoke0 sun.reflect.NativeMethodAccessorImpl.invoke sun.reflect.DelegatingMethodAccessorImpl.invoke java.lang.reflect.Method.invoke javax.security.auth.login.LoginContext.invoke javax.security.auth.login.LoginContext.access$000( javax.security.auth.login.LoginContext$4.run javax.security.auth.login.LoginContext$4.run java.security.AccessController.doPrivileged javax.security.auth.login.LoginContext.invokePriv javax.security.auth.login.LoginContext.login com.ibm.ws.security.authentication.internal.jaas.JAASService Impl .doLoginContext com.ibm.ws.security.authentication.internal.jaas.JAASService Impl .performLogin com.ibm.ws.security.authentication.internal.jaas.JAASService Impl .performLogin com.ibm.ws.security.authentication.internal.AuthenticationSe rvic eImpl.performJAASLogin com.ibm.ws.security.authentication.internal.AuthenticationSe rvic eImpl.authenticate com.ibm.ws.webcontainer.security.internal.BasicAuthAuthentic ator .basicAuthenticate com.ibm.ws.webcontainer.security.AuthenticateApi.login com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorI mpl. login com.ibm.ws.webcontainer.srt.SRTServletRequest.login ... Caused by: java.io.FileNotFoundException: /WebSphere/Liberty/wlp/lib/com.ibm.ws.security.registr y.saf_1.0.12.jar (EDC5111I Permission denied.) java.util.zip.ZipFile.open java.util.zip.ZipFile. java.util.zip.ZipFile. java.util.zip.ZipFile. org.eclipse.osgi.framework.util.SecureAction.getZipFile ... 89 more
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server Liberty for z/OS using the * * syncToOSThread support is enabled * **************************************************************** * PROBLEM DESCRIPTION: FileNotFoundException seen when * * UNXIPRIV class and UNIXPRIV * * RESTRICTED.FILESYS.ACCESS resource are * * defined. * **************************************************************** * RECOMMENDATION: * **************************************************************** When the syncToOSThread support is enabled on the server, and UNXIPRIV class and UNIXPRIV RESTRICTED.FILESYS.ACCESS are defined, access to archive files may not be permitted as certain operations may run under the default user: WSGUEST. This is what is shown on the MVS console: ICH408I USER(WSGUEST ) GROUP(XXXXXX ) NAME(WAS DFLT USER) /WebSphere/Liberty/wlp/lib/com.ibm.ws.security.registry.saf_1.0. 12.jar CL(DIRSRCH ) FID(0003E565001148D10000000000000000) INSUFFICIENT AUTHORITY TO STAT ACCESS INTENT(--X) ACCESS ALLOWED(RESTRICTED ---) EFFECTIVE UID(0000002402) EFFECTIVE GID(0000002502) This is what is what appears in the messages log: /WebSphere/Liberty/wlp/lib/com.ibm.ws.security.registry.saf_1.0. 12.jar org.eclipse.osgi.framework.util.SecureAction.getZipFile org.eclipse.osgi.storage.bundlefile.ZipBundleFile.basicOpen org.eclipse.osgi.storage.bundlefile.ZipBundleFile.getZipFile org.eclipse.osgi.storage.bundlefile.ZipBundleFile.checkedOpen org.eclipse.osgi.storage.bundlefile.ZipBundleFile.getEntry org.eclipse.osgi.storage.bundlefile.BundleFileWrapper.getEntry com.ibm.cds.CDSBundleFile.getEntry org.eclipse.osgi.storage.bundlefile.BundleFileWrapper.getEntry org.eclipse.osgi.internal.loader.classpath.ClasspathManager.find ClassImpl ... javax.security.auth.login.LoginContext$4.run java.security.AccessController.doPrivileged javax.security.auth.login.LoginContext.invokePrivjavax.security. auth.login.LoginContext.login com.ibm.ws.security.authentication.internal.jaas.JAASServiceImpl .doLoginContext com.ibm.ws.security.authentication.internal.jaas.JAASServiceImpl .performLogin com.ibm.ws.security.authentication.internal.jaas.JAASServiceImpl .performLogin com.ibm.ws.security.authentication.internal.AuthenticationServic eImpl.performJAASLogin com.ibm.ws.security.authentication.internal.AuthenticationServic eImpl.authenticate com.ibm.ws.webcontainer.security.internal.BasicAuthAuthenticator .basicAuthenticate com.ibm.ws.webcontainer.security.AuthenticateApi.login com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl. login com.ibm.ws.webcontainer.srt.SRTServletRequest.login ... Caused by: java.io.FileNotFoundException: /WebSphere/Liberty/wlp/lib/com.ibm.ws.security.registry.saf_1.0. 12.jar (EDC5111I Permission denied.) java.util.zip.ZipFile.open java.util.zip.ZipFile.<init> java.util.zip.ZipFile.<init> java.util.zip.ZipFile.<init> org.eclipse.osgi.framework.util.SecureAction.getZipFile
Problem conclusion
Code was added to allow certain functions to take place under the appropriate identity. The fix for this APAR is currently targeted for inclusion in fix pack 16.0.0.3. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PI65658
Reported component name
LIBERTY PROF -
Reported component ID
5655W6514
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-07-11
Closed date
2016-08-05
Last modified date
2016-08-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
LIBERTY PROF -
Fixed component ID
5655W6514
Applicable component levels
R850 PSY
UP
Document Information
Modified date:
03 May 2022