PK71786: Correct several security-related problems

Fixes are available

APAR status

Closed as program error.

Error description

APAR for WebSphere v7.0 FP1 Security defects

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  All users of WebSphere Application Server   *
****************************************************************
* PROBLEM DESCRIPTION: Correct several security related        *
*                      issues in the WebSphere Application     *
*                      Server 7.0 release.                     *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Problem:      Java client error org.omg.CORBA.NO_PERMISSION:
passed in realm is not valid if login username contains @. If
a user name contains the @ sign, the code truncates it and
uses only the name before the @ sign.   The solution is not to
truncate.

Problem:    When the user name contains the @ sign, during
authorization only the name before the @ sign is used.  The
solution is to use the complete user name.

Problem:      When "Authenticate when any URI is accessed" is
selected it is expected that servlets with no security
constraints will be authenticated. With this, they will
not be, only servlets with security constraints are
authenticated.Both the "Use available authentication data when
an unprotected URI is accessed" and "Authenticate when any URI
is accessed" options are ignored in the runtime.  The solution
honors both options.

Problem:    The native code being called to check if a user
is granted permission to a certain SAF EJBROLE was always using
the RACROUTE REQUEST=AUTH option. Change the code to instead
use the RACROUTE REQUEST=FASTAUTH option to increase
performance.

Problem:      The RM names logged in the Resource Recovery
Services (RRS) logs are not deleted after the servers are
stopped. If transaction trace is enabled, this problem will
manifest itself as a NullPointerException. To delete the logs
from RRS, the transaction code needs to make a call to the
security code to check if the user has the appropriate RACF
authority. However, the security code threw a
NullPointerException, resulting in the failure to clear out
the logs in RRS. The solution is to eliminate the null
pointer exception.

Problem:      During server startup, if a trust association
interceptor (TAI) is configured, the user may see errors like
these:
CWSPN0009E: SPNEGO Trust Association Interceptor configuration
is not valid. Failure condition:
com.ibm.ws.security.spnego.isEnabled JVM property
is false or not set, no further processing will be done.
SECJ0384E: Trust Association Init Error. The Trust
Association interceptor implementation com.ibm.ws.s
ecurity.spnego.TrustAssociationInterceptorImpl initialization
failed. The error status/exception is 1. If a user tries to
authenticate to a server that has been configured with
a TAI using an expired password, a generic error message will
be generated: SECJ0126E: Trust Association failed during
validation. The exception is
com.ibm.websphere.security.WebTrustAssociationFailedException:
Basic Authentication failed.
Enhanced the error message text to indicate that the error
messages can be ignored if the specified TAI is not being
used. The error message was enhanced also to include text for
the user to ensure the credentials were entered correctly.

Problem:     On an Application Server z/OS cell, when security
is enabled and System Authorization Facility (SAF)
authorization is enabled, if the user tries to disable SAF
delegation on the "SAF authorization options" panel, the
administrative console will display the following error message:
CommandValidationException: SECJ7724E: Error in the user
registry configuration unable to verify access to the user
registry. The validation code to check if the user registry is
valid was referencing the SAF delegation property instead of
the SAF authorization property to determine whether SAF is
enabled. As a result, when disabling SAF delegation caused the
validation code to check that the primary administrative
identity is valid, which is non-existent when SAF authorization
is enabled.
Fixed validation code to check property
com.ibm.security.SAF.authorization

Problem:     After configuring a Trust Association
Interceptor (TAI) at the security domain level, the TAI is not
used when authenticating a request for the server that is part
of that security domain. The Trust Association Interceptor
configuration was not being read correctly at the security
domain level and the code was instead using the configuration
at the global security level.
Correctly define the TAI configuration at the security domain
level and reference this configuration when authenticating a
request that is within that security domain.

Problem:   When trying to determine if the sending server is
trusted by the receiving server, if we are on z/OS and local os
is the active user registry, then this trust is determined by
implementing the z/os specific TrustedIDEvaluatorImpl class in
order to establish the trust using the CBIND profile in RACF.
The non-z/OS specific class was being used, and therefore the
trust could not be established, resulting in a NO_PERMISSION
error.
Fix the code to correctly set the evaluator implementation
class to the z-specific one.

Problem:     When using userid and password instead of the
automatically generated serverid as the server identity, the
following error will occur in a server-as-client scenario:
Exception stack trace: javax.naming.NamingException: Error
during resolve [Root exception is org.omg.CORBA.INTERNAL.
Add a check to see if GSSUP is in the target server's list of
supported authentication mechanisms to more accurately determine
whether basicAuth is allowed.

Problem:     An RSA token validation error is thrown when
the second registered node to the AdminAgent is started.
Validate the correct realm and validate the token.

Problem:     User subject not resolving:
javax.jms.JMSSecurityException: CWSIA0069E: The user does not
have authorization to carry out this operation.
Ensure we are in the correct security domain.

Problem:      WCCM models are being initialized in a managed
server, resulting in increases in server footprint.
Remove the extraneous model initializations with no loss to
functionality.

Problem:      A new property was added
"com.ibm.websphere.security.JAASAuthData.addNodeNameSecDomain"
to add the node name to the alias name in JAAS auth data
entries at the domain level. This property can be set at
either the global or domain level, however the property at the
domain level should prevail over the one at the global level.
The problem was that the global level property was being used.
Fixed code such that if this property is set at the domain
level, that value is used, else the global value for this
property is used.

Problem:    Creating, deleting and getting auth data entries
does not work in local mode.
Solution is to get the nodeName from the profile install
directory in local mode.

Problem:      Failure to locate a user causes the Messaging
Engine to fail to start because of receiving a
com.ibm.websphere.security.CustomRegistryException rather than
a NoSuchEntryFound exception.
Return the latter exception.

Problem:      After migrating a v5.1 cell to v7 on z/OS the
SECJ0305E: Could not get the uniqueId of the user "" appears
many times in the DMGR and Node agent logs.
Do not try to get the uniquId of a null user.

Problem:     Receive a NoClassDefFound exception whenever
JAX-WS dispatch.invoke(xmlString) is invoked:
Exception in thread "main" javax.xml.ws.WebServiceException:
java.lang.NoClassDefFoundError:
com/ibm/ws/management/profileregistry/ProfileRegistry.
Fixed by not referencing a class that is not found in the thin
client.

Problem:      Direct call to ContextManaerImpl.isWSSubject
results in NullPointerException.
Fixed the NullPointerException on a direct call.

Problem:     java.lang.StackOverflowError when trying to
start servers in a cluster at at
com.ibm.ws.security.config.SecurityObjectLocator.do_getAdminData
Fixed the recursion.

Problem:      Failure to register an application server to an
admin agent with : SECJ0364E: Cannot initialize
ltpa object because of the following exception
com.ibm.websphere.crypto.KeyException: Given final block not
properly padded when registering app server to
admin agent.
Made security keystore management context aware, so correct
keystore password is retrieved, based on the profile (node)
being registered.

Problem: anonymous directoriess created under
/profiles/xxx/wstemp causes config
HFS to fill.
Clean up any unused workspace instances.

Problem:      In a security domain -> CSIV2 outbound
communication, Global realm can be set to "trusted" from "non
trusted". But it cannot be changed back to "non trusted". The
following error is seen on the administrative console:
Validation failed: SECJ7795E: The global security realm
defaultWIMFileBasedRealm can not be removed from the list of
trusted realms.   In the multi domain CSIv2 outbound
communication panel one cannot set the Global realm to
untrusted.
Fixed the code so it is possible to set the Global realm to
untrusted.

Problem:      The following message shows up multiple times in
the logs when the primary adminID is set to "" in the
security.xml file:  SECJ0350E: Could not get the uniqueId of
the user "".
Do not call the repository to get the uniqueID when the
primary adminID is "".

Problem:      When a SSL configuration group
is configured with a specific alias and a replaceCertificate
is performed form an admin task or from the console the alias
name of the certificate is not updated in the ssl
configuration group object in the security.xml file. The alias
would get replaced if the SSL configuration object
happened to specify the alias as well.
Solution is to replace certificate alias in the SSL
configuration group object even if the alias is not used in
the SSL configuration object.

Problem:      SPNEGO integrated login from the windows domain
controller client machine fails for one of the server in
the cluster caused by filtering of security domain
configuration not performed properly during a node sync
operation.
Solution is to scan all security domains for filtering during
a node sync operation.

Problem:      Multiple security domain causes Messaging Engine
to Messaging Engine connection failure: CWSIU0007I:
"CWSIT0034E: A messaging engine to messaging engine request
failed. The security domain configuration is incorrectly being
filtered out from some nodes that use this information.
Fixed the code to propagate the security domain configuration
to the relevant nodes.

Problem:      Tag @ibm-private in-use APIs used by WebSphere
Portal

Problem:      Data power certificate is being added to all new
keystore created.  This is giving new key store more trust
then is needed.
Solution is to remove the data power certificate from the
default-signers keystore.

Problem:      Validation Failed:attr timeout not found" error
when the SPENGO auth mechanism object is a security domain and
the LTPA auth mechanism object is not.
Solution is to make sure the LTPA object is retrieved, not
just any auth mechanism object, when trying to set/get the
timeout LTPA timeout value.

Problem:      When a Federated Repository realm name is
modified it should be reflected in all the Federated Repository
configurations.  In a multi domain setup, changing the realm
name for Federated Repositories does not work correctly.
In a few places the old realm name is still used because the
domain still contains the old realm name.
Fix the code to only allow the realm name change at the global
level since Federated Repositories can only be configured at
the global level. The name change is implicitly propagated to
the domains.

Problem:     Error running syncNode after running
convertSSLConfig with the CONVERT_TO_DEFAULT option.  This is
due to the soap.client.props file not being updated to use the
new keystore information.
Solution is for convertSSLConfig to update the
soap.client.props file that it can.  That is only the local
one.   Then issue a message saying what needs to be updated on
remote soap.client.prop files.

Problem:      When a cluster or server is removed it's
reference is not removed from the security domain map.
During a cluster delete or a server delete check to see if the
resource is mapped to a domain if is, then remove the resource
form the domain map

Problem:     Password in properties need to be blanked out for
in trace string.   The blanked out password was being used for
the LDAP connection if trace is enabled causing an error when
verifying the connection to LDAP.
Solution is to make a copy of the properties when blanking out
the password.

Problem:      When removing a login module configured with a
proxy using unconfigureLoginModule only the login module
class, the delegete, is getting removed.  Leaving a login
module entry without a login module class.
Solution is to remove the entire login module object when the
login module is a delegete.

Problem:     After a node is incorporated into a Deployment
Manager cell, it is possible that SSL communication problems
may occur with remote systems, such as remote Web Servers,
after a personal certificate renewal on the node has occured.
This problem may occur because the renewed certificate is
generated with the Deployment Managers root certificate and
not the nodes original root certificate.  Ultimately, this
will break trust with remote servers, such as a remote Web
Server, and a new signer exchange would need to be
performed.
The code has been modified to add the nodes root certificates
to the Deployment Managers root certificate store
(DefaultRootStore).  This modification allows the nodes
personal certificates to be renewed with the nodes original
root certificate.

Problem:      The signer exchange prompt presented to the
client always lists the target host as ?null?.
The code has been modified to include the correct outbound
host in the signer exchange prompt.

Problem:     You cannot select a webserver to be in a MSD.
This require the high object (managed Node or cell) to
participate in the MSD so the webserver can be included
as a member of the Domain. This is an issue because:
1) Unmanaged webserver require cell level MSD if you want to
map web modules to the webserver, so everything particpates in
the MSD (not much different then global security)
2) Managed webserver require the node or cell level MSD which
might be too general for the end user MSD (e.g. if they are
selecting specific servers/clusters to particpate).
Solution:
bypass the application install security validation for a target
that is a web server.

Problem:      If a translated character has been translated to
upper-case, the signer exchange prompt processing is not
correctly processing "j" and "ja" as lower-case characters.
Solution is to have the GUI exchange prompt has been modified
to lower-case the responses "j" and "ja", in addition to any
other translated text.

Problem:     Attempting to accept a signer certificate from a
remote port results in an incorrect error message.  The error
message indicates it is unale to get the signer certificate
from the remote port.  The command should fail, but should
inidcate that the signer cannot be added because it already
exists in the keystore. Solution: is to
Modify the code to print the correct error message similar to
the following:
CWPKI0630E: Alias "mycert" already exists in key store
"NodeDefaultTrustStore".

Problem conclusion

Code has been modified as previously stated to correct the
listed defects.

The fix for this APAR is currently targeted for inclusion in
fixpack 7.0.0.1.  Please refer to the Recommended Updates
page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PK71786
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2008-09-09
Closed date
2008-11-17
Last modified date
2008-11-17

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800

Applicable component levels

R700 PSY
UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
23 October 2021

Tips

PK71786: Correct several security-related problems

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R700 PSY

Document Information

Share your feedback

Need support?