APAR status
Closed as program error.
Error description
Description: In IBM's implementation, the delegated credential from Initiator is always encrypted as the KRB-CRED message, RFC4120 states some implementations do not separately encrypt the contents of the EncKrbCredPart of the KRB-CRED message when sending it, such as Sun's only encrypts for certain newer encryption types. This breaks the interop between IBM and Sun if Initiator and Acceptor sits on each side for those old encryption types(DES, TripleDES). This affects JDK 142, JDK 5.0, JDK 6.0 The jars affected: ibmjgssprovider.jar Customer reported issue when using IBM JGSS client on 160 SR7 and SUN JDK/JGSS as server (JBOSS). Error message noticed at SUN server end: ---------------------------------------- GSSException: Failure unspecified at GSS-API level (Mechanism level: EncryptedData is encrypted using keytype DES CBC mode with MD5 but decryption key is of type NULL) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source) at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) Problem to be fixed in 6.0 sr9.
Local fix
Level 3 to update
Problem summary
In IBM's implementation, the delegated credential from Initiator is always encrypted as the KRB-CRED message, RFC4120 states some implementations do not separately encrypt the contents of the EncKrbCredPart of the KRB-CRED message when sending it, such as, Sun's only encrypts for certain newer encryption types. This breaks the interop between IBM and Sun if Initiator and Acceptor sits on each side for those old encryption types(DES, TripleDES). The acceptor side does check the both encrypted and non-encrypted for old encryption types, so the this fix won't affect previous version of JGSS.
Problem conclusion
JARs affected: ibmjgssprovider.jar JVMs affected: JDK 142, JDK 5.0, JDK 6.0. This defect will be fixed in: 1.4.2 SR13 FP6 5.0.0 SR12 6.0.0 SR8 FP1 . The build date is 20100517. Hursley CMVC defect number is 166081.
Temporary fix
Comments
APAR Information
APAR number
IZ75980
Reported component name
TIV JAVA GSS-AP
Reported component ID
TIVSECJGS
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-05-13
Closed date
2010-05-18
Last modified date
2010-07-08
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TIV JAVA GSS-AP
Fixed component ID
TIVSECJGS
Applicable component levels
R100 PSY
UP
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCZL44","label":"JGSS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"100","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
08 July 2010