PK92544: CLIENT CERTIFICATE AUTHENTICATION FAILS WITH CORBA.NO_PERMISSION WHEN ATTEMPTING RMI-IIOP CALL TO NODEAGENT

Fixes are available

APAR status

Closed as program error.

Error description

Attempting an RMI-IIOP call in which the client is a WebSphere
application server attempting client certificate authentication
with identity assertion specifying a PROVIDER_URL with hostname
and port to a WebSphere for z/OS Node Agent a
CORBA.NO_PERMISSION a surfaces in the
NodeAgent, and in the exception received by the client.

The RMI-IIOP call works by specifying a PROVIDER_URL that
contains the ORB_LISTENER_ADDRESS and ORB_LISTENER_PORT to point
directly to the application server.

With trace SASRas=all enabled, the following error in which the
attempt to map the CN portion of the client certificate to a
userid fails.


Trace: 2009/07/16 01:11:31.079 01 t=8CBBE0 c=0.9 key=S2
(13007002)
   ThreadId: 00000036
   FunctionName: SASRas
   SourceId: SASRas
   Category: FINEST
   ExtendedMessage: [CSIUtil.deserializeRootException],
[ServerID: nodeagent]
         Deserializing root cause exception, exception = User
CN=boss0071.l2.plex1.ibm.com not found


Trace: 2009/07/16 01:11:31.080 01 t=8CBBE0 c=0.9 key=S2
(13007002)
   ThreadId: 00000036
   FunctionName: SASRas
   SourceId: SASRas
   Category: FINEST
   ExtendedMessage: [CSIUtil.deserializeRootException],
[ServerID: nodeagent]
 ; com.ibm.websphere.security.EntryNotFoundException: User
CN=boss0071.l2.plex1.ibm.com not found
com.ibm.ws.security.registry.zOS.SAFRegistryImpl.getGroupsForUse
r(SAFRegistryImpl.java:935)
com.ibm.ws.security.registry.zOS.SAFRegistryImpl.getUniqueGroupI
ds(SAFRegistryImpl.java:831)
com.ibm.ws.security.registry.zOS.SAFRegistryImpl.createCredentia
l(SAFRegistryImpl.java:1076)
com.ibm.ws.security.registry.UserRegistryImpl.createCredential(U
serRegistryImpl.java:724)
com.ibm.ws.security.server.lm.ltpaLoginModule.login(ltpaLoginMod
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
  at java.lang.reflect.Method.invoke(Method.java:618)
javax.security.auth.login.LoginContext.invoke(LoginContext.java:
javax.security.auth.login.LoginContext.access$000(LoginContext.j
javax.security.auth.login.LoginContext$4.run(LoginContext.java:7
java.security.AccessController.doPrivileged(AccessController.jav
javax.security.auth.login.LoginContext.invokePriv(LoginContext.j
javax.security.auth.login.LoginContext.login(LoginContext.java:6
com.ibm.ws.security.auth.JaasLoginHelper.jaas_login(JaasLoginHel
com.ibm.ws.security.auth.ContextManagerImpl.login(ContextManager
com.ibm.ws.security.auth.ContextManagerImpl.login(ContextManager
com.ibm.ws.security.auth.ContextManagerImpl.login(ContextManager
com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl$2.run(
com.ibm.ws.security.util.AccessController.doPrivileged(AccessCon
com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.csi_in
com.ibm.ISecurityLocalObjectBaseL13Impl.CSIServerRIBase.authenti
cateSecurityTokens(CSIServerRIBase.java:2748)
com.ibm.ISecurityLocalObjectBaseL13Impl.CSIServerRIForCFW.receiv
com.ibm.rmi.pi.InterceptorManager.invokeInterceptor(InterceptorM
com.ibm.rmi.pi.InterceptorManager.iterateServerInterceptors(Inte
com.ibm.rmi.pi.InterceptorManager.iterateReceiveRequest(Intercep
com.ibm.ws390.orb.WS390InterceptorManager.interceptInboundReques
  at com.ibm.ws390.orb.CommonBridge.invoke(Unknown Source)
  at com.ibm.ws390.orb.ORBEJSBridge.invoke(Unknown Source)
  at sun.reflect.GeneratedMethodAccessor9.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
  at java.lang.reflect.Method.invoke(Method.java:618)
com.ibm.ws390.orb.parameters.ORBEJSBridgeInvoke.ORBEJSBridgeInvo
com.ibm.ws390.ziop.ZIOPCPPUtilities.process_inbound_request(Nati
com.ibm.ws390.channel.ziop.ZIOPInboundConnLink.routeIncomingMess
com.ibm.ws390.channel.ziop.ZIOPInboundMessageHandler.readComplet
com.ibm.ws390.channel.ziop.ZIOPInboundMessageHandler.readFirstMe
com.ibm.ws390.channel.ziop.ZIOPInboundConnLink.ready(ZIOPInbound
com.ibm.ws.tcp.channel.impl.ZAioTCPChannel.newConnectionCommon(Z
com.ibm.ws.tcp.channel.impl.ZAioTCPChannel.readCompletedNewConne
com.ibm.ws.tcp.channel.impl.ZAioTCPChannelCPPUtilitiesInterfaceI
mpl.readCompletedNewConnection(ZAioTCPChannelCPPUtilitiesInterfa

Trace: 2009/07/16 01:11:31.088 01 t=8CBBE0 c=0.9 key=S2
(13007002)
   ThreadId: 00000036
   FunctionName: iterateClientInterceptors:426 WebSphere
t=008cbbe0
   SourceId: ORBRas
   Category: FINE
   ExtendedMessage: The following exception was logged;
org.omg.CORBA.NO_PERMISSION: JSAS0202E: [{0}] Credential token
expired.  {1}
  vmcid: 0x49424000  minor code: 306  completed: No
...

Local fix

Specify a PROVIDER_URL with the ORB_LISTENER_ADDRESS and
ORB_LISTENER_PORT of the application server, not the Node Agent.

Problem summary

****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server V6.1.0                               *
****************************************************************
* PROBLEM DESCRIPTION: For a WebSphere Application Server for  *
*                      z/OS certificate identity assertion     *
*                      during an RMI-IIOP call, the            *
*                      certificate assertion fails with an     *
*                      EntryNotFoundException exception when   *
*                      the user registry is a localOS user     *
*                      registry.                               *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
For WebSphere Application Server for z/OS with certificate
identity assertion, the certificate's distinguished name (DN)
is used for the authentication. The DN extracted from the
certificate is not suitable for the user id login performed
since the DN is longer than the 8 characters limit imposed by
the Security Authorization Facility (SAF) product and it
contains attributes that are not part of a valid user id in a
SAF product. The following is a sample stack trace for this
error,

Trace: 2009/07/16 01:11:31.080 01 t=8CBBE0 c=0.9 key=S2
(13007002)
   ThreadId: 00000036
   FunctionName: SASRas
   SourceId: SASRas
   Category: FINEST
   ExtendedMessage: [CSIUtil.deserializeRootException],
[ServerID: nodeagent]
 ; com.ibm.websphere.security.EntryNotFoundException: User
CN=myuser not found
com.ibm.ws.security.registry.zOS.SAFRegistryImpl.getGroupsForUse
r(SAFRegistryImpl.java:935)

Problem conclusion

The code was modified such that a certificate login is
performed when there is a certificate to be used for identity
assertion. In such login, the certificate is used by the
Security Authorization Facility in order to determine the
mapped user associated with such a certificate.

APAR PK92544 is currently targeted for inclusion in Service
Level (Fix Pack) 6.1.0.29 of WebSphere Application Server V6.1.

Please refer to URL:
//www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
for Fix Pack availability.

Temporary fix

Comments

APAR Information

APAR number
PK92544
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
610
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-07-28
Closed date
2009-10-02
Last modified date
2010-02-01

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

PK97688

Fix information

Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500

Applicable component levels

R610 PSY UK53194
UP10/01/15 P F001

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
29 December 2021

Tips

PK92544: CLIENT CERTIFICATE AUTHENTICATION FAILS WITH CORBA.NO_PERMISSION WHEN ATTEMPTING RMI-IIOP CALL TO NODEAGENT

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R610 PSY UK53194

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

Document Information

Share your feedback

Need support?