PM51523: LOGIN FAIURE DUE TO REALM MISMATCH WHEN REALM IS SET BY SAML TOK EN

Fixes are available

APAR status

Closed as program error.

Error description

A web application and a web service application are installed
on an application server (server A).
An EJB application  is installed on another server (server B).
The web application invokes the web service which calls the
remote
EJB. The web application and the EJB application are protected
by roled based security. The web application uses
SAML Web SSO as authentication mechanism, and ID assertion is
enabled. The SAML token Identify provider is a TFIM server. To
make this scenario working, the SAML issuer name should be
added as the WAS trusted realm for both server A and server B.

The issuer name string is:
https://test.server.ibm.com:9449/test/saml2fed/saml20

When running this scenario, got test failure and the following
exception appears in the server1 FFDC:
[10/12/11 21:43:44:096 CDT]     FFDC
Exception:com.ibm.websphere.security.WSSecurityException
SourceId:readObject ProbeId:1112
Reporter:com.ibm.ws.security.context.ContextImpl@7f647f64
com.ibm.websphere.security.WSSecurityException: the realms do
not match
 at
com.ibm.ws.security.context.ContextImpl.doLogin(ContextImpl.java
:781)
 at
com.ibm.ws.security.context.ContextImpl.deserializeSubjects(Cont
extImpl.java:1144)
 at
com.ibm.ws.security.context.ContextImpl.readObject(ContextImpl.j
ava:1110)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
 at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
Impl.java:60)
 at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
AccessorImpl.java:37)
 at java.lang.reflect.Method.invoke(Method.java:611)
 at
java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.jav
a:1044)
 at
java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:
1866)
 at
java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.j
ava:1770)
 at
java.io.ObjectInputStream.readObject0(ObjectInputStream.java:134
6)
 at
java.io.ObjectInputStream.readObject(ObjectInputStream.java:365)
 at
com.ibm.ws.websvcs.utils.SecurityContextMigrator$6.run(SecurityC
ontextMigrator.java:361)
 at
java.security.AccessController.doPrivileged(AccessController.jav
a:251)
 at
com.ibm.ws.websvcs.utils.SecurityContextMigrator.migrateThreadTo
Context(SecurityContextMigrator.java:358)

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server                                      *
****************************************************************
* PROBLEM DESCRIPTION: If there is more than one slash         *
*                      character in the access ID,             *
*                      the security code may not extract       *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Slash character is used as a demimitor of realm name and unique
user id in the security code. So, the original assumption was
that there was only one slash character in Access ID string.
However, there are some situations that there are multiple
slashes existing in realm name. To support this situation, the
code needs to be implemented with more sophisticated way to
find out the realm name in Acces ID.

Problem conclusion

With this fix, if there are multiple slash characters in
Access ID, the realm name is extracted based on number of
slashes in the string.

The fix for this APAR is currently targeted for inclusion in
fix pack 7.0.0.21 and 8.0.0.2.  Please refer to the Recommended
Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PM51523
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2011-11-03
Closed date
2011-11-10
Last modified date
2011-11-10

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800

Applicable component levels

R700 PSY
UP
R800 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 October 2021

Tips

PM51523: LOGIN FAIURE DUE TO REALM MISMATCH WHEN REALM IS SET BY SAML TOK EN

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R700 PSY

R800 PSY

Document Information

Share your feedback

Need support?