IBM Support

PM49615: CHOOSING "NEVER" FOR CSIV2 OUTBOUND MESSAGE LAYER AUTHENTICATION RESULTS IN ILLEGALSTATEEXCEPTION FOR SUPPORTEDAUTHMECHLIST

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • User configured CSIv2 outbound message layer authentication to
    be "Never" as follows:
    
    Global Security -> CSIv2 outbound communications
    For the "CSIv2 Message Layer"  setting
      -  Message Layer Authentication = "Never"
      -  All check boxes for "Allow client to server authentication
    with:" are left unchecked.
    
    These settings populate the security.xml as follows:
    
    <layers xmi:type="orb.securityprotocol:MessageLayer"
    xmi:id="MessageLayer_2" authenticationLayerRetryCount="3"
    supportedAuthMechList="">
      <requiredQOP xmi:type="orb.securityprotocol:MessageQOP"
    xmi:id="MessageQOP_4" establishTrustInClient="false"/>
      <supportedQOP xmi:type="orb.securityprotocol:MessageQOP"
    xmi:id="MessageQOP_3" establishTrustInClient="false"/>
    </layers>
    
    On startup of the zWAS server, they got the following exception:
    
    BossLog: { 0009} 2011/08/05 14:10:08.085 03 SYSTEM=MVA3
    CELL=V80CELL1
    NODE=NODE8 CLUSTER=WCLV80Z1 SERVER=WZV80Z1  PID=0X10402A8
    TID=0X1A4D730000000000 t=9E6B70 c=UNK ./bbgrjtr.cpp+717 tag= ...
    FFDC1003I: FFDC Incident emitted on
    /WebSphere/V80/AppServer/profiles/default/logs/ffdc/V80Cell1Base
    _Node8MV
    SA3_server8_WZV80Z1_STC09938_0000035C00000003_4702b90_11.08.05_1
    4.10.07.
    7636734974370455935284.txt
    com.ibm.ws.security.auth.ContextManagerImpl.getInvocationSubject
    1669
    BossLog: { 0010} 2011/08/05 14:10:08.117 03 SYSTEM=MVA3
    CELL=V80CELL1
    NODE=NODE8 CLUSTER=WCLV80Z1 SERVER=WZV80Z1  PID=0X10402A8
    TID=0X1A4D730000000000 t=9E6B70 c=UNK ./bbgrjtr.cpp+717 tag= ...
    FFDC
    provider error java.lang.IllegalStateException: Invalid empty
    string for
    supportedAuthMechList
     at
    com.ibm.ws.security.config.CSIv2MessageLayerConfig.initialize(CS
    Iv2Messa
    geLayerConfig.java:76)
     at
    com.ibm.ws.security.config.CSIv2MessageLayerConfig.<init>(CSIv2M
    essageLa
    yerConfig.java:50)
     at
    ...
    
    As a result, CSIv2 failed to initialize and runtime errors
    appeared when applications attempted to perform CSIv2 outbound
    communication.  The errors reported that the client did not
    support client authentication at the transport level, even
    though it was configured to do so.
    

Local fix

  • User's can enable one of the message layer authentication
    methods, like Basic Auth, for CSIv2 outbound communication
    to avoid the initialization failure and runtime errors.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server V8.0                                 *
    ****************************************************************
    * PROBLEM DESCRIPTION: IllegalStateException and/or            *
    *                      NullPointerExceptions configuring       *
    *                      CSIv2 MessageLayer to Never.            *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    IllegalStateException and/or
    NullPointerExceptions configuring
    CSIv2 MessageLayer to Never and selecting no Authentication
    Mechanism from adminconsole panel:
    Global security > CSIv2 inbound communications
    java.lang.NullPointerException
    at
    com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.CSIv2TaggedComponen
    t.getCSIv2ComponentData(CSIv2TaggedComponent.java:764)
    at
    com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityTaggedComponentA
    ssistorImpl.getComponentData(SecurityTaggedComponentAssistorImpl
    .java:315)
    at
    com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityComponentFactory
    .establish_components(SecurityComponentFactory.java:486)
    at
    com.ibm.rmi.pi.InterceptorManager.iterateEstablishComponents(Int
    erceptorManager.java:873)
    at com.ibm.rmi.IOR.runInterceptors(IOR.java:314)
    at com.ibm.rmi.IOR.putProfile(IOR.java:496)
    at com.ibm.rmi.IOR.<init>(IOR.java:251)
    at com.ibm.rmi.IOR.<init>(IOR.java:221)
    at com.ibm.CORBA.iiop.ORB.createIOR(ORB.java:2022)
    at com.ibm.ws390.orb.ORB.registerWithASR(ORB.java:2594)
    at
    com.ibm.ws390.orb.CommonBridge.pushRegisterWithASR(CommonBridge.
    java:2269)
    at
    com.ibm.ws390.orb.ORBEJSBridge.pushRegisterWithASR(ORBEJSBridge.
    java:631)
    Trace: 2012/01/23 13:37:53.649 02 t=9E5B70 c=UNK key=P8 tag=
    (13007004)
    SourceId: com.ibm.ffdc.util.provider.FfdcProvider
    ExtendedMessage: FFDC provider
    errorjava.lang.IllegalStateException: Invalid empty string for
    supportedAuthMechList
    at
    com.ibm.ws.security.config.CSIv2MessageLayerConfig.initialize(CS
    Iv2MessageLayerConfig.java:76)
    at
    com.ibm.ws.security.config.CSIv2MessageLayerConfig.<init>(CSIv2M
    essageLayerConfig.java:50)
    at
    com.ibm.ws.security.config.CSIv2IOBoundConfig.do_getLayers(CSIv2
    IOBoundConfig.java:99)
    at
    com.ibm.ws.security.config.CSIv2IOBoundConfig.getLayers(CSIv2IOB
    oundConfig.java:118)
    at
    com.ibm.ws.security.config.CSIv2IOBoundConfig.getLayer(CSIv2IOBo
    undConfig.java:130)
    at
    com.ibm.ws.security.config.CSIv2ConfigImpl.serverSetCSIValues(CS
    Iv2ConfigImpl.java:942)
    at
    com.ibm.ws.security.config.CSIv2ConfigImpl.initializeOnServer(CS
    Iv2ConfigImpl.java:726)
    at
    com.ibm.ws.security.config.CSIv2ConfigImpl.initialize(CSIv2Confi
    gImpl.java:1105)
    at
    com.ibm.ws.security.config.CSIv2ConfigImpl.<init>(CSIv2ConfigImp
    l.java:94)
    at
    com.ibm.ws.security.config.SecurityConfigObjectFactoryImpl.creat
    eCSIv2Config(SecurityConfigObjectFactoryImpl.java:116)
    at
    com.ibm.ws.security.config.SecurityObjectLocator.do_getCSIv2Conf
    ig(SecurityObjectLocator.java:837)
    at
    com.ibm.ws.security.config.SecurityObjectLocator.getCSIv2Config(
    SecurityObjectLocator.java:867)
    at
    com.ibm.ws.security.config.SecurityObjectLocator.getCSIv2Config(
    SecurityObjectLocator.java:858)
    at
    com.ibm.ws.security.auth.ContextManagerImpl.getProperty(ContextM
    anagerImpl.java:2079)
    at
    com.ibm.ws.security.auth.ContextManagerImpl.getProperty(ContextM
    anagerImpl.java:2130)
    at
    com.ibm.websphere.security.WSSecurityException.printStackTrace(W
    SSecurityException.java:230)
    at
    com.ibm.ffdc.util.formatting.IncidentReportHeader.writeTo(Incide
    ntReportHeader.java:77)
    at
    com.ibm.ffdc.util.provider.IncidentStream.write(IncidentStream.j
    ava:204)
    at
    com.ibm.ffdc.util.provider.IncidentLogger.writeHeader(IncidentLo
    gger.java:70)
    at
    com.ibm.ffdc.util.provider.IncidentLogger.writeIncidentTo(Incide
    ntLogger.java:61)
    at
    com.ibm.ws.ffdc.impl.FfdcProvider.logIncident(FfdcProvider.java:
    172)
    at
    com.ibm.ws.ffdc.impl.FfdcProvider.logIncident(FfdcProvider.java:
    108)
    at
    com.ibm.ffdc.util.provider.FfdcProvider.log(FfdcProvider.java:25
    1)
    at
    com.ibm.ws.ffdc.impl.FfdcProvider.log(FfdcProvider.java:116)
    at
    com.ibm.ffdc.util.provider.IncidentEntry.log(IncidentEntry.java:
    96)
    at com.ibm.ffdc.util.provider.Ffdc.log(Ffdc.java:94)
    at
    com.ibm.ws.ffdc.FFDCFilter.processException(FFDCFilter.java:84)
    at
    com.ibm.ws.management.util.SecurityHelper.getInvocationSubject(S
    ecurityHelper.java:527)
    at
    com.ibm.ws.management.util.SecurityHelper.retrieveSubject(Securi
    tyHelper.java:446)
    at
    com.ibm.ws.management.event.ListenerInfo.<init>(ListenerInfo.jav
    a:74)
    at
    com.ibm.ws.management.event.LocalNotificationService.createListe
    nerInfo(LocalNotificationService.java:198)
    at
    com.ibm.ws.management.event.LocalNotificationService.addListener
    Internal(LocalNotificationService.java:193)
    at
    com.ibm.ws.management.event.ClientNotificationService.addClientL
    istenerInternal(ClientNotificationService.java:125)
    at
    com.ibm.ws.management.event.ClientNotificationService.addNotific
    ationListenerExtended(ClientNotificationService.java:113)
    at
    com.ibm.ws.management.AdminServiceImpl.addNotificationListenerEx
    tended(AdminServiceImpl.java:1666)
    at
    com.ibm.ws.management.repository.ServantFileRepository.initializ
    e(ServantFileRepository.java:782)
    at
    com.ibm.ws.management.component.AdminImpl.initializeConfigReposi
    tory(AdminImpl.java:1316)
    at
    com.ibm.ws.management.component.AdminImpl.initialize(AdminImpl.j
    ava:484)
    at
    com.ibm.ws.runtime.component.ContainerHelper.initWsComponent(Con
    tainerHelper.java:1192)
    at
    com.ibm.ws.runtime.component.ContainerHelper.initializeComponent
    (ContainerHelper.java:1099)
    at com.ibm.ws.runt***BUFFER OVERFLOW***
    

Problem conclusion

  • "Message Layer Authentication" of "Never" and selecting no
    authentication Mechanisms under "Allow client to server
    authentication with:" is a valid configuration. Code has been
    changed to support that configuration setting. Note that such
    settings are not very function in a realistic AppServer
    enviroment, but it is a valid configuration.
    
    APAR PM49615 is currently targeted for inclusion in
    Service Level (Fix Pack) 8.0.0.4 of WebSphere Application
    Server V8.0.
    
    Please refer to the Recommended Updates page for delivery
    information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    
    In addition, please refer to URL:
    http://www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
    for Fix Pack PTF information.
    

Temporary fix

  • N/A
    

Comments

APAR Information

  • APAR number

    PM49615

  • Reported component name

    WEBSPHERE FOR Z

  • Reported component ID

    5655I3500

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2011-10-07

  • Closed date

    2012-02-03

  • Last modified date

    2012-08-09

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE FOR Z

  • Fixed component ID

    5655I3500

Applicable component levels

  • R800 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"800","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 October 2021