PK70943: A REQUEST FOR AUTHENTICATION OF A USER ID THAT IS LONGER THAN 8 CHARACTERS, SHOULD RETURN 'INVALID ID' WHEN RACF USED

Fixes are available

APAR status

Closed as program error.

Error description

When authenticating an id that is longer than 8 characters, but
the first 8 characters do match to an id defined in RACF, the
authentication will be successful.  So for example, if
9-character ID ABCD1234Z is used, the check against RACF will be
done using an 8-character version of the id: ABCD1234.  If
ABCD1234 is a valid RACF id, the authentication will be
successful.  This apar will correct this problem where login
with any id longer than 8 characters will fail.  This is due to
the fact RACF has an 8-character limit for its ids.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  All users of WebSphere Application Server   *
*                  V6.1.0 for z/OS                             *
****************************************************************
* PROBLEM DESCRIPTION: When authenticating an id against       *
*                      SAF that is longer than 8 characters,   *
*                      but the first 8 characters do match     *
*                      to an id defined in RACF, the           *
*                      authentication will be driven to RACF   *
*                      with those 8 characters.                *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
WebSphere Application Server was incorrectly stripping off
remaining characters beyond the initial 8 characters.

Problem conclusion

A custom property (com.ibm.security.SAF.Auth.strict) can now be
added by the customer to disallow someone from authenticating
with a userid or password longer than 8 characters when using
local OS as the authentication mechanism. The default value
is FALSE for the property. This property was included in v5.1
as APAR PK22173, and was incorrectly omitted from the v6.1 code.

The following information will be added to the topic
"z/OS System Authorization Facility properties" under
the subheading titled: "com.ibm.security.SAF.Auth.strict."

This property determines whether to enforce an 8-character
limit for the user ID or password information when a local
OS user registry is configured. If a user name or password
that is specified during login is more than eight characters,
the login will fail. The options are TRUE or FALSE(default).

To set this property, in the administrative console, select
Security > Secure administration, applications, and
infrastructure > Custom Properties > New. Enter
com.ibm.security.SAF.Auth.strict in the. Name field, and
enter one of these values in the Value field:

TRUE    This value will not allow a user to login
successfully if their user ID or password is
longer than eight characters.

FALSE   This value will truncate the user ID and password
to eight characters before doing the authentication
check. (default)

APAR PK70943 requires changes to documentation.

NOTE: Periodically, we refresh the documentation on our
Web site, so the changes might have been made before you
read this text. To access the latest on-line
documentation, go to the product library page at:

http://www.ibm.com/software/webservers/appserv/library

The following Change to the WebSphere Application
Server Version 6.1.x Information Center will be made
available in March, 2009.

The following description of the new
com.ibm.security.SAF.Auth.strict custom
property will be added to the topic "Security
custom properties."

com.ibm.security.SAF.Auth.strict

Specifies whether an 8-character limit for the user
ID or password information is enforced when a local
OS user registry is configured.

When this property is set to true, an 8-character
limit for the user ID or password information is
enforced when a local OS user registry is configured.
If the user name or password that is specified during
login contains more than eight characters, the login
fails.

Default                 false

Avoid Trouble: Do not use this property unless you
are running on Version 6.1.0.22, or later.

APAR PK70943 is currently targeted for inclusion in
Service Level (Fix Pack) 6.1.0.22 of WebSphere
Application Server V6.1 for z/OS.

Temporary fix

Comments

APAR Information

APAR number
PK70943
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
610
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / CST
Submitted date
2008-08-21
Closed date
2008-12-09
Last modified date
2011-03-30

APAR is sysrouted FROM one or more of the following:

PK22173
APAR is sysrouted TO one or more of the following:

UK42577 PK82626

Fix information

Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500

Applicable component levels

R610 PSY UK42577
UP09/01/16 P F901

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
29 December 2021

Tips

PK70943: A REQUEST FOR AUTHENTICATION OF A USER ID THAT IS LONGER THAN 8 CHARACTERS, SHOULD RETURN 'INVALID ID' WHEN RACF USED

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R610 PSY UK42577

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

Document Information

Share your feedback

Need support?