Direct links to fixes
APAR status
Closed as program error.
Error description
SFTP Public Key Auth fails when duplicate keys with different names in Authorized User keystore If the administrator adds a duplicate SSH public key with a new name to the Authorized User keystore, the error is not found until the user connects and attempts to validate using the key. Depending on the order of the keys in the keystore, the connection may fail with: SSE2621 user key list was not empty and key UserKey2 was not in user key list SSE2610 Sessionid xxx Userkey xxx Invalid Logon Attempt, Count 1, locked: :false, ? SSE2624 Userid xxx from address xxx failed validation with key fingerprint xx:yy:zz
Local fix
STRRTC - 336514 WA/RJ Circumvention: None
Problem summary
SFTP Public Key Auth fails when duplicate keys with different names in Authorized User keystore If the administrator adds a duplicate SSH public key with a new name to the Authorized User keystore, the error is not found until the user connects and attempts to validate using the key. Depending on the order of the keys in the keystore, the connection may fail with: SSE2621 user key list was not empty and key UserKey2 was not in user key list SSE2610 Sessionid xxx Userkey xxx Invalid Logon Attempt, Count 1, locked: :false, ? SSE2624 Userid xxx from address xxx failed validation with key fingerprint xx:yy:zz
Problem conclusion
Added a search in the SSH Authorized User Keystore Configuration screen for a duplicate key fingerprint before saving a new key. If a duplicate key is found, a pop-up message is generated indicating which key it is a duplicate of so that the administrator can use that definition instead: Specified key finger print xx:yy:zz is already associated with authorized key UserKey2
Temporary fix
Comments
APAR Information
APAR number
IC87275
Reported component name
STR SECURE PROX
Reported component ID
5725D0300
Reported release
341
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2012-10-16
Closed date
2012-11-14
Last modified date
2012-11-14
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
STR SECURE PROX
Fixed component ID
5725D0300
Applicable component levels
R331 PSY
UP
R340 PSY
UP
R341 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS6PNW","label":"IBM Sterling Secure Proxy"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"341","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
Document Information
Modified date:
14 November 2012