PK71786: Correct several security-related problems

Fixes are available

7.0.0.3: WebSphere Application Server V7.0 Fix Pack 3 for IBM i
7.0.0.3: WebSphere Application Server V7.0 Fix Pack 3 for AIX
7.0.0.3: WebSphere Application Server V7.0 Fix Pack 3 for HP-UX
7.0.0.1: WebSphere Application Server V7.0 Fix Pack 1 for AIX
7.0.0.3: Java SDK 1.6 SR4 Cumulative Fix for WebSphere Application Server
7.0.0.1: WebSphere Application Server V7.0 Fix Pack 1 for Windows
7.0.0.3: WebSphere Application Server V7.0 Fix Pack 3 for Solaris
7.0.0.1: WebSphere Application Server V7.0 Fix Pack 1 for HP-UX
7.0.0.1: WebSphere Application Server V7.0 Fix Pack 1 for Linux
7.0.0.3: WebSphere Application Server V7.0 Fix Pack 3 for Linux
7.0.0.1: WebSphere Application Server V7.0 Fix Pack 1 for Solaris
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for AIX
7.0.0.3: WebSphere Application Server V7.0 Fix Pack 3 for Windows
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for IBM i
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for Windows
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for HP-UX
7.0.0.5: Java SDK 1.6 SR5 Cumulative Fix for WebSphere Application Server
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for Solaris
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for Linux
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for IBM i
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for AIX
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for Windows
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for HP-UX
7.0.0.7: Java SDK 1.6 SR6 Cumulative Fix for WebSphere Application Server
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for Solaris
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for Linux
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for IBM i
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for Windows
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for AIX
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for HP-UX
7.0.0.9: Java SDK 1.6 SR7 Cumulative Fix for WebSphere Application Server
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for Solaris
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for Linux
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for IBM i
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Windows
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for HP-UX
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for AIX
7.0.0.11: Java SDK 1.6 SR7 Cumulative Fix for WebSphere Application Server
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Solaris
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Linux
IBM WebSphere Customization Tools V7.0 for Windows
IBM WebSphere Customization Tools V7.0 for Linux
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for AIX
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for HP-UX
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for IBM i
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Linux
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Solaris
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Windows
7.0.0.13: Java SDK 1.6 SR8FP1 Cumulative Fix for WebSphere Application Server
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for AIX
7.0.0.15: Java SDK 1.6 SR9 Cumulative Fix for WebSphere Application Server
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for HP-UX
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for IBM i
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Linux
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Solaris
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Windows
7.0.0.17: WebSphere Application Server V7.0 Fix Pack 17
7.0.0.17: Java SDK 1.6 SR9 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.19: WebSphere Application Server V7.0 Fix Pack 19
7.0.0.21: WebSphere Application Server V7.0 Fix Pack 21
7.0.0.1: Java SDK 1.6 SR3 Cumulative Fix for WebSphere Application Server
7.0.0.23: WebSphere Application Server V7.0 Fix Pack 23
7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • APAR for WebSphere v7.0 FP1 Security defects
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of WebSphere Application Server   *
    ****************************************************************
    * PROBLEM DESCRIPTION: Correct several security related        *
    *                      issues in the WebSphere Application     *
    *                      Server 7.0 release.                     *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Problem:      Java client error org.omg.CORBA.NO_PERMISSION:
    passed in realm is not valid if login username contains @. If
    a user name contains the @ sign, the code truncates it and
    uses only the name before the @ sign.   The solution is not to
    truncate.
    
    Problem:    When the user name contains the @ sign, during
    authorization only the name before the @ sign is used.  The
    solution is to use the complete user name.
    
    Problem:      When "Authenticate when any URI is accessed" is
    selected it is expected that servlets with no security
    constraints will be authenticated. With this, they will
    not be, only servlets with security constraints are
    authenticated.Both the "Use available authentication data when
    an unprotected URI is accessed" and "Authenticate when any URI
    is accessed" options are ignored in the runtime.  The solution
    honors both options.
    
    Problem:    The native code being called to check if a user
    is granted permission to a certain SAF EJBROLE was always using
    the RACROUTE REQUEST=AUTH option. Change the code to instead
    use the RACROUTE REQUEST=FASTAUTH option to increase
    performance.
    
    Problem:      The RM names logged in the Resource Recovery
    Services (RRS) logs are not deleted after the servers are
    stopped. If transaction trace is enabled, this problem will
    manifest itself as a NullPointerException. To delete the logs
    from RRS, the transaction code needs to make a call to the
    security code to check if the user has the appropriate RACF
    authority. However, the security code threw a
    NullPointerException, resulting in the failure to clear out
    the logs in RRS. The solution is to eliminate the null
    pointer exception.
    
    Problem:      During server startup, if a trust association
    interceptor (TAI) is configured, the user may see errors like
    these:
    CWSPN0009E: SPNEGO Trust Association Interceptor configuration
    is not valid. Failure condition:
    com.ibm.ws.security.spnego.isEnabled JVM property
    is false or not set, no further processing will be done.
    SECJ0384E: Trust Association Init Error. The Trust
    Association interceptor implementation com.ibm.ws.s
    ecurity.spnego.TrustAssociationInterceptorImpl initialization
    failed. The error status/exception is 1. If a user tries to
    authenticate to a server that has been configured with
    a TAI using an expired password, a generic error message will
    be generated: SECJ0126E: Trust Association failed during
    validation. The exception is
    com.ibm.websphere.security.WebTrustAssociationFailedException:
    Basic Authentication failed.
    Enhanced the error message text to indicate that the error
    messages can be ignored if the specified TAI is not being
    used. The error message was enhanced also to include text for
    the user to ensure the credentials were entered correctly.
    
    Problem:     On an Application Server z/OS cell, when security
    is enabled and System Authorization Facility (SAF)
    authorization is enabled, if the user tries to disable SAF
    delegation on the "SAF authorization options" panel, the
    administrative console will display the following error message:
    CommandValidationException: SECJ7724E: Error in the user
    registry configuration unable to verify access to the user
    registry. The validation code to check if the user registry is
    valid was referencing the SAF delegation property instead of
    the SAF authorization property to determine whether SAF is
    enabled. As a result, when disabling SAF delegation caused the
    validation code to check that the primary administrative
    identity is valid, which is non-existent when SAF authorization
    is enabled.
    Fixed validation code to check property
    com.ibm.security.SAF.authorization
    
    Problem:     After configuring a Trust Association
    Interceptor (TAI) at the security domain level, the TAI is not
    used when authenticating a request for the server that is part
    of that security domain. The Trust Association Interceptor
    configuration was not being read correctly at the security
    domain level and the code was instead using the configuration
    at the global security level.
    Correctly define the TAI configuration at the security domain
    level and reference this configuration when authenticating a
    request that is within that security domain.
    
    Problem:   When trying to determine if the sending server is
    trusted by the receiving server, if we are on z/OS and local os
    is the active user registry, then this trust is determined by
    implementing the z/os specific TrustedIDEvaluatorImpl class in
    order to establish the trust using the CBIND profile in RACF.
    The non-z/OS specific class was being used, and therefore the
    trust could not be established, resulting in a NO_PERMISSION
    error.
    Fix the code to correctly set the evaluator implementation
    class to the z-specific one.
    
    Problem:     When using userid and password instead of the
    automatically generated serverid as the server identity, the
    following error will occur in a server-as-client scenario:
    Exception stack trace: javax.naming.NamingException: Error
    during resolve [Root exception is org.omg.CORBA.INTERNAL.
    Add a check to see if GSSUP is in the target server's list of
    supported authentication mechanisms to more accurately determine
    whether basicAuth is allowed.
    
    Problem:     An RSA token validation error is thrown when
    the second registered node to the AdminAgent is started.
    Validate the correct realm and validate the token.
    
    Problem:     User subject not resolving:
    javax.jms.JMSSecurityException: CWSIA0069E: The user does not
    have authorization to carry out this operation.
    Ensure we are in the correct security domain.
    
    Problem:      WCCM models are being initialized in a managed
    server, resulting in increases in server footprint.
    Remove the extraneous model initializations with no loss to
    functionality.
    
    Problem:      A new property was added
    "com.ibm.websphere.security.JAASAuthData.addNodeNameSecDomain"
    to add the node name to the alias name in JAAS auth data
    entries at the domain level. This property can be set at
    either the global or domain level, however the property at the
    domain level should prevail over the one at the global level.
    The problem was that the global level property was being used.
    Fixed code such that if this property is set at the domain
    level, that value is used, else the global value for this
    property is used.
    
    Problem:    Creating, deleting and getting auth data entries
    does not work in local mode.
    Solution is to get the nodeName from the profile install
    directory in local mode.
    
    Problem:      Failure to locate a user causes the Messaging
    Engine to fail to start because of receiving a
    com.ibm.websphere.security.CustomRegistryException rather than
    a NoSuchEntryFound exception.
    Return the latter exception.
    
    Problem:      After migrating a v5.1 cell to v7 on z/OS the
    SECJ0305E: Could not get the uniqueId of the user "" appears
    many times in the DMGR and Node agent logs.
    Do not try to get the uniquId of a null user.
    
    Problem:     Receive a NoClassDefFound exception whenever
    JAX-WS dispatch.invoke(xmlString) is invoked:
    Exception in thread "main" javax.xml.ws.WebServiceException:
    java.lang.NoClassDefFoundError:
    com/ibm/ws/management/profileregistry/ProfileRegistry.
    Fixed by not referencing a class that is not found in the thin
    client.
    
    Problem:      Direct call to ContextManaerImpl.isWSSubject
    results in NullPointerException.
    Fixed the NullPointerException on a direct call.
    
    Problem:     java.lang.StackOverflowError when trying to
    start servers in a cluster at at
    com.ibm.ws.security.config.SecurityObjectLocator.do_getAdminData
    Fixed the recursion.
    
    Problem:      Failure to register an application server to an
    admin agent with : SECJ0364E: Cannot initialize
    ltpa object because of the following exception
    com.ibm.websphere.crypto.KeyException: Given final block not
    properly padded when registering app server to
    admin agent.
    Made security keystore management context aware, so correct
    keystore password is retrieved, based on the profile (node)
    being registered.
    
    Problem: anonymous directoriess created under
    /profiles/xxx/wstemp causes config
    HFS to fill.
    Clean up any unused workspace instances.
    
    Problem:      In a security domain -> CSIV2 outbound
    communication, Global realm can be set to "trusted" from "non
    trusted". But it cannot be changed back to "non trusted". The
    following error is seen on the administrative console:
    Validation failed: SECJ7795E: The global security realm
    defaultWIMFileBasedRealm can not be removed from the list of
    trusted realms.   In the multi domain CSIv2 outbound
    communication panel one cannot set the Global realm to
    untrusted.
    Fixed the code so it is possible to set the Global realm to
    untrusted.
    
    Problem:      The following message shows up multiple times in
    the logs when the primary adminID is set to "" in the
    security.xml file:  SECJ0350E: Could not get the uniqueId of
    the user "".
    Do not call the repository to get the uniqueID when the
    primary adminID is "".
    
    Problem:      When a SSL configuration group
    is configured with a specific alias and a replaceCertificate
    is performed form an admin task or from the console the alias
    name of the certificate is not updated in the ssl
    configuration group object in the security.xml file. The alias
    would get replaced if the SSL configuration object
    happened to specify the alias as well.
    Solution is to replace certificate alias in the SSL
    configuration group object even if the alias is not used in
    the SSL configuration object.
    
    Problem:      SPNEGO integrated login from the windows domain
    controller client machine fails for one of the server in
    the cluster caused by filtering of security domain
    configuration not performed properly during a node sync
    operation.
    Solution is to scan all security domains for filtering during
    a node sync operation.
    
    Problem:      Multiple security domain causes Messaging Engine
    to Messaging Engine connection failure: CWSIU0007I:
    "CWSIT0034E: A messaging engine to messaging engine request
    failed. The security domain configuration is incorrectly being
    filtered out from some nodes that use this information.
    Fixed the code to propagate the security domain configuration
    to the relevant nodes.
    
    Problem:      Tag @ibm-private in-use APIs used by WebSphere
    Portal
    
    Problem:      Data power certificate is being added to all new
    keystore created.  This is giving new key store more trust
    then is needed.
    Solution is to remove the data power certificate from the
    default-signers keystore.
    
    Problem:      Validation Failed:attr timeout not found" error
    when the SPENGO auth mechanism object is a security domain and
    the LTPA auth mechanism object is not.
    Solution is to make sure the LTPA object is retrieved, not
    just any auth mechanism object, when trying to set/get the
    timeout LTPA timeout value.
    
    Problem:      When a Federated Repository realm name is
    modified it should be reflected in all the Federated Repository
    configurations.  In a multi domain setup, changing the realm
    name for Federated Repositories does not work correctly.
    In a few places the old realm name is still used because the
    domain still contains the old realm name.
    Fix the code to only allow the realm name change at the global
    level since Federated Repositories can only be configured at
    the global level. The name change is implicitly propagated to
    the domains.
    
    Problem:     Error running syncNode after running
    convertSSLConfig with the CONVERT_TO_DEFAULT option.  This is
    due to the soap.client.props file not being updated to use the
    new keystore information.
    Solution is for convertSSLConfig to update the
    soap.client.props file that it can.  That is only the local
    one.   Then issue a message saying what needs to be updated on
    remote soap.client.prop files.
    
    Problem:      When a cluster or server is removed it's
    reference is not removed from the security domain map.
    During a cluster delete or a server delete check to see if the
    resource is mapped to a domain if is, then remove the resource
    form the domain map
    
    Problem:     Password in properties need to be blanked out for
    in trace string.   The blanked out password was being used for
    the LDAP connection if trace is enabled causing an error when
    verifying the connection to LDAP.
    Solution is to make a copy of the properties when blanking out
    the password.
    
    Problem:      When removing a login module configured with a
    proxy using unconfigureLoginModule only the login module
    class, the delegete, is getting removed.  Leaving a login
    module entry without a login module class.
    Solution is to remove the entire login module object when the
    login module is a delegete.
    
    Problem:     After a node is incorporated into a Deployment
    Manager cell, it is possible that SSL communication problems
    may occur with remote systems, such as remote Web Servers,
    after a personal certificate renewal on the node has occured.
    This problem may occur because the renewed certificate is
    generated with the Deployment Managers root certificate and
    not the nodes original root certificate.  Ultimately, this
    will break trust with remote servers, such as a remote Web
    Server, and a new signer exchange would need to be
    performed.
    The code has been modified to add the nodes root certificates
    to the Deployment Managers root certificate store
    (DefaultRootStore).  This modification allows the nodes
    personal certificates to be renewed with the nodes original
    root certificate.
    
    Problem:      The signer exchange prompt presented to the
    client always lists the target host as ?null?.
    The code has been modified to include the correct outbound
    host in the signer exchange prompt.
    
    Problem:     You cannot select a webserver to be in a MSD.
    This require the high object (managed Node or cell) to
    participate in the MSD so the webserver can be included
    as a member of the Domain. This is an issue because:
    1) Unmanaged webserver require cell level MSD if you want to
    map web modules to the webserver, so everything particpates in
    the MSD (not much different then global security)
    2) Managed webserver require the node or cell level MSD which
    might be too general for the end user MSD (e.g. if they are
    selecting specific servers/clusters to particpate).
    Solution:
    bypass the application install security validation for a target
    that is a web server.
    
    Problem:      If a translated character has been translated to
    upper-case, the signer exchange prompt processing is not
    correctly processing "j" and "ja" as lower-case characters.
    Solution is to have the GUI exchange prompt has been modified
    to lower-case the responses "j" and "ja", in addition to any
    other translated text.
    
    Problem:     Attempting to accept a signer certificate from a
    remote port results in an incorrect error message.  The error
    message indicates it is unale to get the signer certificate
    from the remote port.  The command should fail, but should
    inidcate that the signer cannot be added because it already
    exists in the keystore. Solution: is to
    Modify the code to print the correct error message similar to
    the following:
    CWPKI0630E: Alias "mycert" already exists in key store
    "NodeDefaultTrustStore".
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    PK71786

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2008-09-09

  • Closed date

    2008-11-17

  • Last modified date

    2008-11-17

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere Application Server
General

Software version:

7.0

Reference #:

PK71786

Modified date:

2008-11-17

Translate my page

Machine Translation

Content navigation