IZ64838: JGSS/KRB5 SHOULD IGNORE REMOTE CHANNEL BINDING INFO WHEN NOT REQUESTED AT LOCAL SIDE.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Envt: IBM JDK 150 on SOLARIS
    
    problem description:
    
    JGSS/krb5 should ignore remote channel binding info when not
    requested at local side (RFC 4121 4.1.1.2: the acceptor MAY
    ignore...).
    
    All major krb5 implementors implement this "MAY", and some
    applications depend on it as a workaround for not having a way
    to negotiate the use of channel binding -- the initiator
    application always uses CB and hopes the acceptor will ignore
    the CB if the acceptor doesn't support CB.
    
    Affected JVMs:
    All, JDK6.0, JDK1.5.0, JDK1.4.2
    
    Other Notes:
    http://bugs.sun.com/view_bug.do?bug_id=6851973
    

Local fix

  • Level 3 to update
    

Problem summary

  • SPNEGO SSO no longer works after Microsoft security update
    including Microsoft Security Advisory (973811)
    Customer reported this problem on following JAVA:
    Java version = J2RE 1.5.0 IBM J9 2.3 Windows 2000 x86-32
    j9vmwi3223ifx-20080811 (JIT enabled)
    J9VM - 20080809_21892_lHdSMr
    JIT  - 20080620_1845_r8
    GC   - 200806_19, Java Compiler = j9jit23, Java VM name = IBM J9
    VM
    

Problem conclusion

  • ignore incoming channel binding if acceptor does not set one.
    
    Affected JVM  142, 50, 60 ibmjgssprovider.jar
    
    This fix will be in
    Java 142 sr13 fp4
     The build date  is 20091110. Hursley defect number is 159669.
    
    Java 150 SR 12 and 150 SR11 FP1
     The build date  is 20091202. Hursley defect number is 159669.
    
    Java 6.0 SR8 and Java 6.0 ifix,
     The build date  is 20091202. Hursley defect number is 159669.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IZ64838

  • Reported component name

    TIV JAVA GSS-AP

  • Reported component ID

    TIVSECJGS

  • Reported release

    100

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2009-11-09

  • Closed date

    2009-12-17

  • Last modified date

    2010-04-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TIV JAVA GSS-AP

  • Fixed component ID

    TIVSECJGS

Applicable component levels

  • R100 PSY

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

Tivoli Components - Java Security
JGSS

Software version:

100

Reference #:

IZ64838

Modified date:

2010-04-29

Translate my page

Machine Translation

Content navigation