Fixes are available
7.0.0.3: WebSphere Application Server V7.0 Fix Pack 3 for IBM i
7.0.0.3: WebSphere Application Server V7.0 Fix Pack 3 for AIX
7.0.0.3: WebSphere Application Server V7.0 Fix Pack 3 for HP-UX
7.0.0.1: WebSphere Application Server V7.0 Fix Pack 1 for AIX
7.0.0.3: Java SDK 1.6 SR4 Cumulative Fix for WebSphere Application Server
7.0.0.1: WebSphere Application Server V7.0 Fix Pack 1 for Windows
7.0.0.3: WebSphere Application Server V7.0 Fix Pack 3 for Solaris
7.0.0.1: WebSphere Application Server V7.0 Fix Pack 1 for HP-UX
7.0.0.1: WebSphere Application Server V7.0 Fix Pack 1 for Linux
7.0.0.3: WebSphere Application Server V7.0 Fix Pack 3 for Linux
7.0.0.1: WebSphere Application Server V7.0 Fix Pack 1 for Solaris
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for AIX
7.0.0.3: WebSphere Application Server V7.0 Fix Pack 3 for Windows
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for IBM i
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for Windows
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for HP-UX
7.0.0.5: Java SDK 1.6 SR5 Cumulative Fix for WebSphere Application Server
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for Solaris
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for Linux
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for IBM i
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for AIX
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for Windows
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for HP-UX
7.0.0.7: Java SDK 1.6 SR6 Cumulative Fix for WebSphere Application Server
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for Solaris
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for Linux
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for IBM i
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for Windows
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for AIX
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for HP-UX
7.0.0.9: Java SDK 1.6 SR7 Cumulative Fix for WebSphere Application Server
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for Solaris
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for Linux
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for IBM i
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Windows
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for HP-UX
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for AIX
7.0.0.11: Java SDK 1.6 SR7 Cumulative Fix for WebSphere Application Server
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Solaris
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Linux
IBM WebSphere Customization Tools V7.0 for Windows
IBM WebSphere Customization Tools V7.0 for Linux
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for AIX
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for HP-UX
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for IBM i
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Linux
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Solaris
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Windows
7.0.0.13: Java SDK 1.6 SR8FP1 Cumulative Fix for WebSphere Application Server
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for AIX
7.0.0.15: Java SDK 1.6 SR9 Cumulative Fix for WebSphere Application Server
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for HP-UX
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for IBM i
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Linux
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Solaris
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Windows
7.0.0.17: WebSphere Application Server V7.0 Fix Pack 17
7.0.0.17: Java SDK 1.6 SR9 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.19: WebSphere Application Server V7.0 Fix Pack 19
7.0.0.21: WebSphere Application Server V7.0 Fix Pack 21
7.0.0.1: Java SDK 1.6 SR3 Cumulative Fix for WebSphere Application Server
7.0.0.23: WebSphere Application Server V7.0 Fix Pack 23
7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
7.0.0.19: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.21: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere
7.0.0.23: Java SDK 1.6 SR10 FP1 Cumulative Fix for WebSphere
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
APAR status
Closed as program error.
Error description
APAR for WebSphere v7.0 FP1 Security defects
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * **************************************************************** * PROBLEM DESCRIPTION: Correct several security related * * issues in the WebSphere Application * * Server 7.0 release. * **************************************************************** * RECOMMENDATION: * **************************************************************** Problem: Java client error org.omg.CORBA.NO_PERMISSION: passed in realm is not valid if login username contains @. If a user name contains the @ sign, the code truncates it and uses only the name before the @ sign. The solution is not to truncate. Problem: When the user name contains the @ sign, during authorization only the name before the @ sign is used. The solution is to use the complete user name. Problem: When "Authenticate when any URI is accessed" is selected it is expected that servlets with no security constraints will be authenticated. With this, they will not be, only servlets with security constraints are authenticated.Both the "Use available authentication data when an unprotected URI is accessed" and "Authenticate when any URI is accessed" options are ignored in the runtime. The solution honors both options. Problem: The native code being called to check if a user is granted permission to a certain SAF EJBROLE was always using the RACROUTE REQUEST=AUTH option. Change the code to instead use the RACROUTE REQUEST=FASTAUTH option to increase performance. Problem: The RM names logged in the Resource Recovery Services (RRS) logs are not deleted after the servers are stopped. If transaction trace is enabled, this problem will manifest itself as a NullPointerException. To delete the logs from RRS, the transaction code needs to make a call to the security code to check if the user has the appropriate RACF authority. However, the security code threw a NullPointerException, resulting in the failure to clear out the logs in RRS. The solution is to eliminate the null pointer exception. Problem: During server startup, if a trust association interceptor (TAI) is configured, the user may see errors like these: CWSPN0009E: SPNEGO Trust Association Interceptor configuration is not valid. Failure condition: com.ibm.ws.security.spnego.isEnabled JVM property is false or not set, no further processing will be done. SECJ0384E: Trust Association Init Error. The Trust Association interceptor implementation com.ibm.ws.s ecurity.spnego.TrustAssociationInterceptorImpl initialization failed. The error status/exception is 1. If a user tries to authenticate to a server that has been configured with a TAI using an expired password, a generic error message will be generated: SECJ0126E: Trust Association failed during validation. The exception is com.ibm.websphere.security.WebTrustAssociationFailedException: Basic Authentication failed. Enhanced the error message text to indicate that the error messages can be ignored if the specified TAI is not being used. The error message was enhanced also to include text for the user to ensure the credentials were entered correctly. Problem: On an Application Server z/OS cell, when security is enabled and System Authorization Facility (SAF) authorization is enabled, if the user tries to disable SAF delegation on the "SAF authorization options" panel, the administrative console will display the following error message: CommandValidationException: SECJ7724E: Error in the user registry configuration unable to verify access to the user registry. The validation code to check if the user registry is valid was referencing the SAF delegation property instead of the SAF authorization property to determine whether SAF is enabled. As a result, when disabling SAF delegation caused the validation code to check that the primary administrative identity is valid, which is non-existent when SAF authorization is enabled. Fixed validation code to check property com.ibm.security.SAF.authorization Problem: After configuring a Trust Association Interceptor (TAI) at the security domain level, the TAI is not used when authenticating a request for the server that is part of that security domain. The Trust Association Interceptor configuration was not being read correctly at the security domain level and the code was instead using the configuration at the global security level. Correctly define the TAI configuration at the security domain level and reference this configuration when authenticating a request that is within that security domain. Problem: When trying to determine if the sending server is trusted by the receiving server, if we are on z/OS and local os is the active user registry, then this trust is determined by implementing the z/os specific TrustedIDEvaluatorImpl class in order to establish the trust using the CBIND profile in RACF. The non-z/OS specific class was being used, and therefore the trust could not be established, resulting in a NO_PERMISSION error. Fix the code to correctly set the evaluator implementation class to the z-specific one. Problem: When using userid and password instead of the automatically generated serverid as the server identity, the following error will occur in a server-as-client scenario: Exception stack trace: javax.naming.NamingException: Error during resolve [Root exception is org.omg.CORBA.INTERNAL. Add a check to see if GSSUP is in the target server's list of supported authentication mechanisms to more accurately determine whether basicAuth is allowed. Problem: An RSA token validation error is thrown when the second registered node to the AdminAgent is started. Validate the correct realm and validate the token. Problem: User subject not resolving: javax.jms.JMSSecurityException: CWSIA0069E: The user does not have authorization to carry out this operation. Ensure we are in the correct security domain. Problem: WCCM models are being initialized in a managed server, resulting in increases in server footprint. Remove the extraneous model initializations with no loss to functionality. Problem: A new property was added "com.ibm.websphere.security.JAASAuthData.addNodeNameSecDomain" to add the node name to the alias name in JAAS auth data entries at the domain level. This property can be set at either the global or domain level, however the property at the domain level should prevail over the one at the global level. The problem was that the global level property was being used. Fixed code such that if this property is set at the domain level, that value is used, else the global value for this property is used. Problem: Creating, deleting and getting auth data entries does not work in local mode. Solution is to get the nodeName from the profile install directory in local mode. Problem: Failure to locate a user causes the Messaging Engine to fail to start because of receiving a com.ibm.websphere.security.CustomRegistryException rather than a NoSuchEntryFound exception. Return the latter exception. Problem: After migrating a v5.1 cell to v7 on z/OS the SECJ0305E: Could not get the uniqueId of the user "" appears many times in the DMGR and Node agent logs. Do not try to get the uniquId of a null user. Problem: Receive a NoClassDefFound exception whenever JAX-WS dispatch.invoke(xmlString) is invoked: Exception in thread "main" javax.xml.ws.WebServiceException: java.lang.NoClassDefFoundError: com/ibm/ws/management/profileregistry/ProfileRegistry. Fixed by not referencing a class that is not found in the thin client. Problem: Direct call to ContextManaerImpl.isWSSubject results in NullPointerException. Fixed the NullPointerException on a direct call. Problem: java.lang.StackOverflowError when trying to start servers in a cluster at at com.ibm.ws.security.config.SecurityObjectLocator.do_getAdminData Fixed the recursion. Problem: Failure to register an application server to an admin agent with : SECJ0364E: Cannot initialize ltpa object because of the following exception com.ibm.websphere.crypto.KeyException: Given final block not properly padded when registering app server to admin agent. Made security keystore management context aware, so correct keystore password is retrieved, based on the profile (node) being registered. Problem: anonymous directoriess created under /profiles/xxx/wstemp causes config HFS to fill. Clean up any unused workspace instances. Problem: In a security domain -> CSIV2 outbound communication, Global realm can be set to "trusted" from "non trusted". But it cannot be changed back to "non trusted". The following error is seen on the administrative console: Validation failed: SECJ7795E: The global security realm defaultWIMFileBasedRealm can not be removed from the list of trusted realms. In the multi domain CSIv2 outbound communication panel one cannot set the Global realm to untrusted. Fixed the code so it is possible to set the Global realm to untrusted. Problem: The following message shows up multiple times in the logs when the primary adminID is set to "" in the security.xml file: SECJ0350E: Could not get the uniqueId of the user "". Do not call the repository to get the uniqueID when the primary adminID is "". Problem: When a SSL configuration group is configured with a specific alias and a replaceCertificate is performed form an admin task or from the console the alias name of the certificate is not updated in the ssl configuration group object in the security.xml file. The alias would get replaced if the SSL configuration object happened to specify the alias as well. Solution is to replace certificate alias in the SSL configuration group object even if the alias is not used in the SSL configuration object. Problem: SPNEGO integrated login from the windows domain controller client machine fails for one of the server in the cluster caused by filtering of security domain configuration not performed properly during a node sync operation. Solution is to scan all security domains for filtering during a node sync operation. Problem: Multiple security domain causes Messaging Engine to Messaging Engine connection failure: CWSIU0007I: "CWSIT0034E: A messaging engine to messaging engine request failed. The security domain configuration is incorrectly being filtered out from some nodes that use this information. Fixed the code to propagate the security domain configuration to the relevant nodes. Problem: Tag @ibm-private in-use APIs used by WebSphere Portal Problem: Data power certificate is being added to all new keystore created. This is giving new key store more trust then is needed. Solution is to remove the data power certificate from the default-signers keystore. Problem: Validation Failed:attr timeout not found" error when the SPENGO auth mechanism object is a security domain and the LTPA auth mechanism object is not. Solution is to make sure the LTPA object is retrieved, not just any auth mechanism object, when trying to set/get the timeout LTPA timeout value. Problem: When a Federated Repository realm name is modified it should be reflected in all the Federated Repository configurations. In a multi domain setup, changing the realm name for Federated Repositories does not work correctly. In a few places the old realm name is still used because the domain still contains the old realm name. Fix the code to only allow the realm name change at the global level since Federated Repositories can only be configured at the global level. The name change is implicitly propagated to the domains. Problem: Error running syncNode after running convertSSLConfig with the CONVERT_TO_DEFAULT option. This is due to the soap.client.props file not being updated to use the new keystore information. Solution is for convertSSLConfig to update the soap.client.props file that it can. That is only the local one. Then issue a message saying what needs to be updated on remote soap.client.prop files. Problem: When a cluster or server is removed it's reference is not removed from the security domain map. During a cluster delete or a server delete check to see if the resource is mapped to a domain if is, then remove the resource form the domain map Problem: Password in properties need to be blanked out for in trace string. The blanked out password was being used for the LDAP connection if trace is enabled causing an error when verifying the connection to LDAP. Solution is to make a copy of the properties when blanking out the password. Problem: When removing a login module configured with a proxy using unconfigureLoginModule only the login module class, the delegete, is getting removed. Leaving a login module entry without a login module class. Solution is to remove the entire login module object when the login module is a delegete. Problem: After a node is incorporated into a Deployment Manager cell, it is possible that SSL communication problems may occur with remote systems, such as remote Web Servers, after a personal certificate renewal on the node has occured. This problem may occur because the renewed certificate is generated with the Deployment Managers root certificate and not the nodes original root certificate. Ultimately, this will break trust with remote servers, such as a remote Web Server, and a new signer exchange would need to be performed. The code has been modified to add the nodes root certificates to the Deployment Managers root certificate store (DefaultRootStore). This modification allows the nodes personal certificates to be renewed with the nodes original root certificate. Problem: The signer exchange prompt presented to the client always lists the target host as ?null?. The code has been modified to include the correct outbound host in the signer exchange prompt. Problem: You cannot select a webserver to be in a MSD. This require the high object (managed Node or cell) to participate in the MSD so the webserver can be included as a member of the Domain. This is an issue because: 1) Unmanaged webserver require cell level MSD if you want to map web modules to the webserver, so everything particpates in the MSD (not much different then global security) 2) Managed webserver require the node or cell level MSD which might be too general for the end user MSD (e.g. if they are selecting specific servers/clusters to particpate). Solution: bypass the application install security validation for a target that is a web server. Problem: If a translated character has been translated to upper-case, the signer exchange prompt processing is not correctly processing "j" and "ja" as lower-case characters. Solution is to have the GUI exchange prompt has been modified to lower-case the responses "j" and "ja", in addition to any other translated text. Problem: Attempting to accept a signer certificate from a remote port results in an incorrect error message. The error message indicates it is unale to get the signer certificate from the remote port. The command should fail, but should inidcate that the signer cannot be added because it already exists in the keystore. Solution: is to Modify the code to print the correct error message similar to the following: CWPKI0630E: Alias "mycert" already exists in key store "NodeDefaultTrustStore".
Problem conclusion
Code has been modified as previously stated to correct the listed defects. The fix for this APAR is currently targeted for inclusion in fixpack 7.0.0.1. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PK71786
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2008-09-09
Closed date
2008-11-17
Last modified date
2008-11-17
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R700 PSY
UP
Document Information
Modified date:
23 October 2021