Fixes are available
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for AIX
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for HP-UX
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for IBM i
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Linux
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Solaris
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Windows
7.0.0.13: Java SDK 1.6 SR8FP1 Cumulative Fix for WebSphere Application Server
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for AIX
7.0.0.15: Java SDK 1.6 SR9 Cumulative Fix for WebSphere Application Server
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for HP-UX
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for IBM i
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Linux
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Solaris
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Windows
7.0.0.17: WebSphere Application Server V7.0 Fix Pack 17
7.0.0.17: Java SDK 1.6 SR9 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.19: WebSphere Application Server V7.0 Fix Pack 19
7.0.0.21: WebSphere Application Server V7.0 Fix Pack 21
7.0.0.23: WebSphere Application Server V7.0 Fix Pack 23
7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
7.0.0.19: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.21: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere
7.0.0.23: Java SDK 1.6 SR10 FP1 Cumulative Fix for WebSphere
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
APAR status
Closed as program error.
Error description
A UsernameToken put on the WebSphere Subject by JAX-WS WS-Security may be lost when the Subject is de-serialized.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server V7.0 * * users * * of WS-Security enabled JAX-WS applications * **************************************************************** * PROBLEM DESCRIPTION: Some, but not all, WS-Security tokens * * are discarded from the WebSphere * * subject during Subject * * de-serialization. * **************************************************************** * RECOMMENDATION: Install an interim Fix or a fix pack * * containing this APAR, then run Python * * script called addWSSPropagationLogin.py in * * the (was_home)/bin directory as instructed * * in the Information Center. * **************************************************************** When a WebSphere Security Subject is de-serialized, some tokens that were added by the JAX-WS WS-Security runtime may be lost from the Subject. Examples of tokens that are impacted: Username tokens X.509 tokens Custom tokens The following tokens are not impacted: LTPA tokens SAML tokens
Problem conclusion
There is currently no mechanism for JAX-WS WS-Security to restore propagated security tokens to a target server or to preserve security tokens after a Java thread or Axis2 context switch. Login modules have been added to several JAAS configuration entries to restore propagated tokens or to preserve tokens after thread or context switching. By default, these JAAS configuration entries are not updated in the existing profiles. In order to take advantage of the updates made for this APAR, overt action must be taken to update the existing JAAS configurations in each profile. A Python script called addWSSPropagationLogin.py in the (was_home)/bin directory is provided to update the JAAS configurations. This script modifies the JAAS system login module with aliases named RMI_INBOUND, DEFAULT, DESERIALIZE_ASYNCH_CONTEXT. This script is for JAX-WS Web services applications using Web Services Security tokens such as username token and X509 token. Run this script in the <bin> directory of each created profile that is configured with the JAX-WS Web services applications. This script will update "RMI_INBOUND", "DEFAULT", "DESERIALIZE_ASYNCH_CONTEXT" system login configs. Before running the script, these configs look similar to the following <entries xmi:id="JAASConfigurationEntry_14" alias="RMI_INBOUND"> <loginModules xmi:id="JAASLoginModule_16" moduleClassName="com.ibm.ws.security.server.lm.ltpaLoginModule" authenticationStrategy="REQUIRED"/> <loginModules xmi:id="JAASLoginModule_17" moduleClassName="com.ibm.ws.security.server.lm.wsMapDefaultInbou ndLoginModule" authenticationStrategy="REQUIRED"/> </entries> <entries xmi:id="JAASConfigurationEntry_15" alias="DEFAULT"> <loginModules xmi:id="JAASLoginModule_18" moduleClassName="com.ibm.ws.security.server.lm.ltpaLoginModule" authenticationStrategy="REQUIRED"/> <loginModules xmi:id="JAASLoginModule_19" moduleClassName="com.ibm.ws.security.server.lm.wsMapDefaultInbou ndLoginModule" authenticationStrategy="REQUIRED"/> </entries> <entries xmi:id="JAASConfigurationEntry_24" alias="DESERIALIZE_ASYNCH_CONTEXT"> <loginModules xmi:id="JAASLoginModule_29" moduleClassName="com.ibm.ws.security.server.lm.ltpaLoginModule" authenticationStrategy="REQUIRED"/> <loginModules xmi:id="JAASLoginModule_30" moduleClassName="com.ibm.ws.security.server.lm.wsMapDefaultInbou ndLoginModule" authenticationStrategy="REQUIRED"> <options xmi:id="Property_46" name="com.ibm.ws.security.context.renewToken" value="true"/> </loginModules> </entries> After running the script, the configs are updated as: <entries xmi:id="JAASConfigurationEntry_14" alias="RMI_INBOUND"> <loginModules xmi:id="JAASLoginModule_1277846268990" moduleClassName="com.ibm.ws.security.server.lm.ltpaLoginModule" authenticationStrategy="REQUIRED"/> <loginModules xmi:id="JAASLoginModule_1277846269006" moduleClassName="com.ibm.ws.security.server.lm.wsMapDefaultInbou ndLoginModule" authenticationStrategy="REQUIRED"/> <loginModules xmi:id="JAASLoginModule_1277846269021" moduleClassName="com.ibm.ws.wssecurity.platform.websphere.wssapi .token.impl.wssTokenPropagationInboundLoginModule" authenticationStrategy="REQUIRED"/> </entries> <entries xmi:id="JAASConfigurationEntry_15" alias="DEFAULT"> <loginModules xmi:id="JAASLoginModule_1277846269131" moduleClassName="com.ibm.ws.security.server.lm.ltpaLoginModule" authenticationStrategy="REQUIRED"/> <loginModules xmi:id="JAASLoginModule_1277846269132" moduleClassName="com.ibm.ws.security.server.lm.wsMapDefaultInbou ndLoginModule" authenticationStrategy="REQUIRED"/> <loginModules xmi:id="JAASLoginModule_1277846269146" moduleClassName="com.ibm.ws.wssecurity.platform.websphere.wssapi .token.impl.wssTokenPropagationInboundLoginModule" authenticationStrategy="REQUIRED"/> </entries> <entries xmi:id="JAASConfigurationEntry_24" alias="DESERIALIZE_ASYNCH_CONTEXT"> <loginModules xmi:id="JAASLoginModule_1277846269225" moduleClassName="com.ibm.ws.security.server.lm.ltpaLoginModule" authenticationStrategy="REQUIRED"/> <loginModules xmi:id="JAASLoginModule_1277846269240" moduleClassName="com.ibm.ws.security.server.lm.wsMapDefaultInbou ndLoginModule" authenticationStrategy="REQUIRED"> <options xmi:id="Property_1277846269240" name="com.ibm.ws.security.context.renewToken" value="true" required="false"/> </loginModules> <loginModules xmi:id="JAASLoginModule_1277846269256" moduleClassName="com.ibm.ws.wssecurity.platform.websphere.wssapi .token.impl.wssTokenPropagationInboundLoginModule" authenticationStrategy="REQUIRED"/> </entries> For each profile, typical syntax would be: wsadmin.sh/wsadmin.bat -conntype NONE -lang jython -f $WAS_HOME/bin/addWSSPropagationLogin.py After this fix is installed on a system, new profiles that are created do not contain updated JAAS configurations. The Python script referenced above must be run on the new profile if the functionality of this APAR is required. The fix for this APAR is currently targeted for inclusion in fix pack 7.0.0.13. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PM15869
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-06-04
Closed date
2010-08-24
Last modified date
2011-12-08
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R700 PSY
UP
Document Information
Modified date:
24 October 2021