PK76024: WEBSPHERE APPLICATION SERVER VERSION 7 SETS AN INCORRECT JAAS LOGIN DEFAULT FOR NEW CUSTOM KERBEROS TOKENS

Fixes are available

APAR status

Closed as program error.

Error description

Using the WebSphere Application Server version 7 administrative
console:
1. Navigate to Services > Policy sets > General provider policy
set bindings
2. Select the Provider sample binding link
3. Select the "WS-Security" policy link
4. Select the "Authentication and protection" bindings link
5. In the Protection token collection select New token > Token
Generator from the dropdown menu button.
6. Enter a name, such as "krbtoken_gen", in the Name field
7. Select "Custom" in the "Token type" dropdown menu button.
8. Enter "http://docs.oasis-open.org/
wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ"
(all on one line ) in the "Local part" field
9. Notice that the "JAAS login" field is empty, leave it empty.
10. Click the Apply button
11. Notice that the JAAS login field now contains
"wss.generate.x509"

That JAAS login value is incorrect for Kerberos tokens and
will cause runtime errors.

Local fix

The user could prevent the incorrect "JAAS login" default by
selecting an appropriate "JAAS login" in the dropdown
before clicking Apply, such as "wss.generate.KRB5BST" for a
new kerberos token generator, or "wss.consume.KRB5BST" for a
new kerberos token consumer.

Problem summary

****************************************************************
* USERS AFFECTED:  WebSphere Application Server version 7      *
*                  JAX-WS Web Services Administrative console  *
*                  users who create bindings for Kerberos      *
*                  tokens.                                     *
****************************************************************
* PROBLEM DESCRIPTION: WebSphere Application Server version    *
*                      7 administrative console users who      *
*                      create new JAX-WS WS-Security           *
*                      bindings for Kerberos tokens may get    *
*                      an incorrect JAAS login value if they   *
*                      use the default value, which is         *
*                      blank. This value will cause runtime    *
*                      errors when using the binding.          *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Using the WebSphere Application Server version 7 administrative
console, create a binding that contains a Kerberos protection
token:
1. Navigate to Services > Policy sets > General provider policy
set bindings
2. Select the "Provider sample" binding link
3. Select the "WS-Security" policy link
4. Select the "Authentication and protection" bindings link
5. In the Protection token collection select "New token > Token
Generator" from the dropdown menu button.
6. Enter a name, such as "krbtoken_gen", in the Name field
7. Select "Custom" in the "Token type" dropdown menu button.
8. Enter "http://docs.oasis-open.org/
wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ"
(all on one line ) in the "Local part" field
9. Notice that the "JAAS login" field is empty, leave it empty.
10. Click the Apply button.
11. Notice that the JAAS login field now contains
"wss.generate.x509"

That JAAS login value is incorrect for Kerberos tokens and
will cause runtime errors if used.

Problem conclusion

A correct default JAAS login value for the Kerberos token will
be set if an incorrect value is detected when you click the
Apply or OK button on the Token detail panel.

The fix for this APAR is currently targeted for inclusion in
fixpack 7.0.0.3.  Please refer to the Recommended Updates
page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PK76024
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2008-11-19
Closed date
2009-01-09
Last modified date
2009-01-09

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800

Applicable component levels

R700 PSY
UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
23 October 2021

Tips

PK76024: WEBSPHERE APPLICATION SERVER VERSION 7 SETS AN INCORRECT JAAS LOGIN DEFAULT FOR NEW CUSTOM KERBEROS TOKENS

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R700 PSY

Document Information

Share your feedback

Need support?