IZ64838: JGSS/KRB5 SHOULD IGNORE REMOTE CHANNEL BINDING INFO WHEN NOT REQUESTED AT LOCAL SIDE.

APAR status

• Closed as program error.

Error description

• Envt: IBM JDK 150 on SOLARIS
  
  problem description:
  
  JGSS/krb5 should ignore remote channel binding info when not
  requested at local side (RFC 4121 4.1.1.2: the acceptor MAY
  ignore...).
  
  All major krb5 implementors implement this "MAY", and some
  applications depend on it as a workaround for not having a way
  to negotiate the use of channel binding -- the initiator
  application always uses CB and hopes the acceptor will ignore
  the CB if the acceptor doesn't support CB.
  
  Affected JVMs:
  All, JDK6.0, JDK1.5.0, JDK1.4.2
  
  Other Notes:
  http://bugs.sun.com/view_bug.do?bug_id=6851973
  

Local fix

• Level 3 to update
  

Problem summary

• SPNEGO SSO no longer works after Microsoft security update
  including Microsoft Security Advisory (973811)
  Customer reported this problem on following JAVA:
  Java version = J2RE 1.5.0 IBM J9 2.3 Windows 2000 x86-32
  j9vmwi3223ifx-20080811 (JIT enabled)
  J9VM - 20080809_21892_lHdSMr
  JIT  - 20080620_1845_r8
  GC   - 200806_19, Java Compiler = j9jit23, Java VM name = IBM J9
  VM
  

Problem conclusion

• ignore incoming channel binding if acceptor does not set one.
  
  Affected JVM  142, 50, 60 ibmjgssprovider.jar
  
  This fix will be in
  Java 142 sr13 fp4
   The build date  is 20091110. Hursley defect number is 159669.
  
  Java 150 SR 12 and 150 SR11 FP1
   The build date  is 20091202. Hursley defect number is 159669.
  
  Java 6.0 SR8 and Java 6.0 ifix,
   The build date  is 20091202. Hursley defect number is 159669.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  TIV JAVA GSS-AP

• Fixed component ID

  TIVSECJGS

Applicable component levels

• R100 PSY

     UP