Fixes are available
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for AIX
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for IBM i
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for Windows
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for HP-UX
7.0.0.5: Java SDK 1.6 SR5 Cumulative Fix for WebSphere Application Server
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for Solaris
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for Linux
Java SDK 1.5 SR10 Cumulative Fix for WebSphere Application Server
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for IBM i
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for AIX
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for Windows
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for HP-UX
7.0.0.7: Java SDK 1.6 SR6 Cumulative Fix for WebSphere Application Server
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for Solaris
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for Linux
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for IBM i
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for Windows
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for AIX
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for HP-UX
7.0.0.9: Java SDK 1.6 SR7 Cumulative Fix for WebSphere Application Server
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for Solaris
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for Linux
6.1.0.31: Java SDK 1.5 SR11 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for IBM i
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Windows
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for HP-UX
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for AIX
7.0.0.11: Java SDK 1.6 SR7 Cumulative Fix for WebSphere Application Server
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Solaris
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Linux
6.1.0.33: Java SDK 1.5 SR12 FP1 Cumulative Fix for WebSphere
6.1.0.29: Java SDK 1.5 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for AIX
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for HP-UX
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for IBM i
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Linux
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Solaris
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Windows
7.0.0.13: Java SDK 1.6 SR8FP1 Cumulative Fix for WebSphere Application Server
6.1.0.35: Java SDK 1.5 SR12 FP2 Cumulative Fix for WebSphere
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for AIX
7.0.0.15: Java SDK 1.6 SR9 Cumulative Fix for WebSphere Application Server
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for HP-UX
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for IBM i
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Linux
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Solaris
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Windows
6.1.0.37: Java SDK 1.5 SR12 FP3 Cumulative Fix for WebSphere
7.0.0.17: WebSphere Application Server V7.0 Fix Pack 17
7.0.0.17: Java SDK 1.6 SR9 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.19: WebSphere Application Server V7.0 Fix Pack 19
7.0.0.21: WebSphere Application Server V7.0 Fix Pack 21
7.0.0.23: WebSphere Application Server V7.0 Fix Pack 23
7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server
7.0.0.19: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.21: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere
7.0.0.23: Java SDK 1.6 SR10 FP1 Cumulative Fix for WebSphere
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
APAR status
Closed as program error.
Error description
Under Network Deployment environment, even CSIv2Outbound Basic Authentication is set to Never, following exception is logged during cross cell RMI call: [2/11/09 17:30:08:208 CET] 00000025 Helpers W NMSV0610I: A NamingException is being thrown from a javax.naming.Context implementation. Details follow: Context implementation: com.ibm.ws.naming.jndicos.CNContextImpl Context method: lookupExt Context name: TestNetwork/nodes/TestNode/servers/TestInterCell Target name: ejb/test/TestEJBInterCellHome Other data: "" Exception stack trace: javax.naming.NoPermissionException: NO_PERMISSION exception caught. Root exception is org.omg.CORBA.NO_PERMISSION: Trace from server: 123306476 at host testserver >> org.omg.CORBA.NO_PERMISSION: Subject is null. Authentication Failed. vmcid: 0x49424000 minor code: 300 completed: No at com.ibm.ISecurityLocalObjectBaseL13Impl.PrincipalAuthFailReason. map_auth_fail_to_minor_code(PrincipalAuthFailReason.java:83) at com.ibm.ISecurityLocalObjectBaseL13Impl.CSIServerRI.receive_requ est(CSIServerRI.java:2338) at com.ibm.rmi.pi.InterceptorManager.iterateReceiveRequest(Intercep torManager.java:763) at com.ibm.CORBA.iiop.ServerDelegate.dispatchInvokeHandler(ServerDe legate.java:603) at com.ibm.CORBA.iiop.ServerDelegate.dispatch(ServerDelegate.java:4 67) at com.ibm.rmi.iiop.ORB.process(ORB.java:439) at com.ibm.CORBA.iiop.ORB.process(ORB.java:1761) at com.ibm.rmi.iiop.Connection.respondTo(Connection.java:2376) at com.ibm.rmi.iiop.Connection.doWork(Connection.java:2221) at com.ibm.rmi.iiop.WorkUnitImpl.doWork(WorkUnitImpl.java:65) at com.ibm.ejs.oa.pool.PooledThread.run(ThreadPool.java:118) at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java(Compiled Code)) << END server: 123306476 at host testserver
Local fix
No work-around.
Problem summary
**************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * **************************************************************** * PROBLEM DESCRIPTION: LTPATokens are sent even if CSIv2 * * Outbound basic authentication is set * * to Never. * **************************************************************** * RECOMMENDATION: * **************************************************************** There are a several methods which always send credentials to a target EJB regardless CSIv2Outbound Authentication settings. This is working as designed to support some administrative calls from server to NodeAgent via RMI connector. The issue here is that once this call is made, the CSIv2 Connection Info is cached, and reused if target hostname is the same. For example, assuming there are an unprotected EJB which runs on a different cell but the same physical machine where node agent is running (this means that the target hostname of administrative calls and a call to this EJB are the same, but these are in different cells) In here, LTPAToken keys are shared between the server and the node agent, but are not shared with a server where an unprotected EJB is running. During starting up a server, it invokes RMI call "register_server" to Node Agent to let Node Agent know a server is started. At this point, although CSIv2 Outbound Authentication is set to Never, the client code sends Credentials since the client handles this call as one of special case to force to enable Outbound Authentication. To do so, CSIv2EffectivePolicy object is overwritten for sending credentials. The issue here is that this modified CSIv2EffectivePolicy object is going to be cached by using target hostname as a cache key. Then, if there is a call to unprotected EJB call, this cached data is reused since the target hostname is the same. Thus, the client sends Credentials (LTPATokens) to a server where the EBJ runs, and the call fails since the server cannot decrypt LTPAToknes due to incompatible LTPAToken keys.
Problem conclusion
With this fix, LTPATokens will not be sent if CSIv2 Outbound setting is set to never. The fix for this APAR is currently targeted for inclusion in fixpack 6.0.2.35, 6.1.0.25, and 7.0.0.5 Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PK81335
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
60A
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-02-25
Closed date
2009-03-04
Last modified date
2009-05-06
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R60A PSY
UP
R60H PSY
UP
R60I PSY
UP
R60P PSY
UP
R60S PSY
UP
R60W PSY
UP
R60Z PSY
UP
R61A PSY
UP
R61H PSY
UP
R61I PSY
UP
R61P PSY
UP
R61S PSY
UP
R61W PSY
UP
R61Z PSY
UP
R700 PSY
UP
Document Information
Modified date:
28 December 2021