IBM Support

IV69929: JGSS SHOULD CHECK REALM WHEN GETTING TGT FROM CACHE

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Error Message: IBM JGSS does not read expected TGT from the
    credential cache file.
    .
    Stack Trace: <OSB>KRB_DBG_TGS<CSB> KrbTgsReq:main: >>>KrbTgsReq:
    asCreds.flags PRE-AUTHENT<OSB>KRB_DBG_TGS<CSB> KrbTgsReq:main:
    >>>KrbTgsReq: KDCOptions.FORWARDABLE, does not match that from
    asCreds.flags<OSB>KRB_DBG_TGS<CSB> TgsCredentials:main:
    >>>Credentials acquireSvcCreds: no tgt; searching
    backwards<OSB>KRB_DBG_TGS<CSB> TgsCredentials:main:
    >>>Credentials acquireSvcCreds: no tgt; cannot get
    credsjava.lang.Exception: No credentialat
    com.ibm.security.jgss.i18n.I18NException.throwException(I18NExce
    ption.java:21)at
    com.ibm.security.krb5.internal.n.d(n.java:161)at
    com.ibm.security.krb5.Credentials.acquireSvcCreds(Credentials.ja
    va:238)at com.ibm.security.jgss.mech.krb5.n.a(n.java:1955)at
    com.ibm.security.jgss.mech.krb5.n.initSecContext(n.java:1484)at
    com.ibm.security.jgss.GSSContextImpl.initSecContext(GSSContextIm
    pl.java:336)at
    com.ibm.security.jgss.GSSContextImpl.initSecContext(GSSContextIm
    pl.java:631)at
    com.ibm.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Gs
    sKrb5Client.java:174)
    .
    

Local fix

Problem summary

  • When there are multiple TGTs in credentials cache, IBM JGSS
    selects the first one for default realm. The first one may not
    be the TGT for the default realm.Need to add realm check when
    selecting the TGT for the default realm.
    

Problem conclusion

  • Check realm when selecting TGT from cache for the default
    realm.The corresponding Austin defect is 116417.The
    corresponding Hursley defect is 202679.The corresponding RTC
    Problem Report is 86289.Platform affected: All platforms.JVMs
    affected: 5.0, 6.0, 6.26, 7.0, 7.27.Jars affected:
    ibmjgssprovider.jar.The fix will be available in 150_SR16_FP10,
    160_SR16_FP4, 626_SR8_FP4, 170_SR9, 727_SR3.Build level is
    20150224.
    .
    This APAR will be fixed in the following Java Releases:
       7    SR9       (7.0.9.0)
       5.0  SR16 FP10 (5.0.16.10)
       6    SR16 FP4  (6.0.16.4)
       6 R1 SR8 FP4   (6.1.8.4)
       7 R1 SR3       (7.1.3.0)
    .
    Contact your IBM Product's Service Team for these Service
    Refreshes and Fix Packs.
    For those running stand-alone, information about the Service
    Refreshes and Fix Packs can be found at:
               https://www.ibm.com/developerworks/java/jdk/
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV69929

  • Reported component name

    SECURITY

  • Reported component ID

    620700125

  • Reported release

    600

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2015-02-25

  • Closed date

    2015-03-04

  • Last modified date

    2015-03-04

  • APAR is sysrouted FROM one or more of the following:

    IV69928

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    SECURITY

  • Fixed component ID

    620700125

Applicable component levels

  • R260 PSY

       UP

  • R600 PSY

       UP



Document information

More support for: Runtimes for Java Technology
Security

Software version: 6.0

Reference #: IV69929

Modified date: 04 March 2015