PK84184: DYNAMIC MAPPING OF ALIAS HOSTNAME TO REAL HOSTNAME FOR SPNEGO SSO.

Fixes are available

7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for AIX
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for IBM i
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for Windows
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for HP-UX
7.0.0.5: Java SDK 1.6 SR5 Cumulative Fix for WebSphere Application Server
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for Solaris
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for Linux
6.1.0.27: WebSphere Application Server V6.1 Fix Pack 27 for i5/OS
Java SDK 1.5 SR10 Cumulative Fix for WebSphere Application Server
6.1.0.27: WebSphere Application Server V6.1 Fix Pack 27 for AIX
6.1.0.27: WebSphere Application Server V6.1 Fix Pack 27 for Windows
6.1.0.27: WebSphere Application Server V6.1 Fix Pack 27 for HP-UX
6.1.0.27: WebSphere Application Server V6.1 Fix Pack 27 for Solaris
6.1.0.27: WebSphere Application Server V6.1 Fix Pack 27 for Linux
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for IBM i
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for AIX
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for Windows
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for HP-UX
7.0.0.7: Java SDK 1.6 SR6 Cumulative Fix for WebSphere Application Server
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for Solaris
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for Linux
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for IBM i
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for Windows
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for AIX
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for HP-UX
7.0.0.9: Java SDK 1.6 SR7 Cumulative Fix for WebSphere Application Server
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for Solaris
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for Linux
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for IBM i
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Windows
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for HP-UX
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for AIX
7.0.0.11: Java SDK 1.6 SR7 Cumulative Fix for WebSphere Application Server
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Solaris
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Linux
6.1.0.33: WebSphere Application Server V6.1 Fix Pack 33 for AIX
6.1.0.33: WebSphere Application Server V6.1 Fix Pack 33 for HP-UX
6.1.0.31: WebSphere Application Server V6.1 Fix Pack 31 for AIX
6.1.0.29: WebSphere Application Server V6.1 Fix Pack 29 for AIX
6.1.0.29: WebSphere Application Server V6.1 Fix Pack 29 for HP-UX
6.1.0.29: WebSphere Application Server V6.1 Fix Pack 29 for i5/OS
6.1.0.29: WebSphere Application Server V6.1 Fix Pack 29 for Solaris
6.1.0.29: WebSphere Application Server V6.1 Fix Pack 29 for Windows
6.1.0.29: Java SDK 1.5 SR11 Cumulative Fix for WebSphere Application Server
6.1.0.31: WebSphere Application Server V6.1 Fix Pack 31 for HP-UX
6.1.0.31: WebSphere Application Server V6.1 Fix Pack 31 for i5/OS
6.1.0.31: WebSphere Application Server V6.1 Fix Pack 31 for Solaris
6.1.0.31: WebSphere Application Server V6.1 Fix Pack 31 for Windows
6.1.0.31: Java SDK 1.5 SR11 Cumulative Fix for WebSphere Application Server
6.1.0.33: WebSphere Application Server V6.1 Fix Pack 33 for Solaris
6.1.0.33: WebSphere Application Server V6.1 Fix Pack 33 for Windows
6.1.0.33: Java SDK 1.5 SR12 FP1 Cumulative Fix for WebSphere
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for AIX
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for HP-UX
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for IBM i
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Linux
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Solaris
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Windows
7.0.0.13: Java SDK 1.6 SR8FP1 Cumulative Fix for WebSphere Application Server
6.1.0.35: WebSphere Application Server V6.1 Fix Pack 35 for AIX
6.1.0.35: WebSphere Application Server V6.1 Fix Pack 35 for HP-UX
6.1.0.35: WebSphere Application Server V6.1 Fix Pack 35 for i5/OS
6.1.0.35: WebSphere Application Server V6.1 Fix Pack 35 for Solaris
6.1.0.35: WebSphere Application Server V6.1 Fix Pack 35 for Windows
6.1.0.35: Java SDK 1.5 SR12 FP2 Cumulative Fix for WebSphere
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for AIX
7.0.0.15: Java SDK 1.6 SR9 Cumulative Fix for WebSphere Application Server
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for HP-UX
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for IBM i
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Linux
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Solaris
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Windows
6.1.0.37: Java SDK 1.5 SR12 FP3 Cumulative Fix for WebSphere
7.0.0.17: WebSphere Application Server V7.0 Fix Pack 17
7.0.0.17: Java SDK 1.6 SR9 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.19: WebSphere Application Server V7.0 Fix Pack 19
7.0.0.21: WebSphere Application Server V7.0 Fix Pack 21
7.0.0.23: WebSphere Application Server V7.0 Fix Pack 23
7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
6.1.0.29: WebSphere Application Server V6.1 Fix Pack 29 for Linux
6.1.0.31: WebSphere Application Server V6.1 Fix Pack 31 for Linux
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
6.1.0.33: WebSphere Application Server V6.1 Fix Pack 33 for Linux
6.1.0.35: WebSphere Application Server V6.1 Fix Pack 35 for Linux
6.1.0.37: WebSphere Application Server V6.1 Fix Pack 37
6.1.0.39: WebSphere Application Server V6.1 Fix Pack 39
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
6.1.0.41: WebSphere Application Server V6.1 Fix Pack 41
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: WebSphere Application Server V6.1 Fix Pack 43
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: WebSphere Application Server V6.1 Fix Pack 45
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Alias support does not work if the alias host is added to DNS
    after WebSphere has started.  Even though the alias is mapped to
    the spnego configured host, SSO does not work for the alias that
    is added later.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server who uses alias hostname for SPNEGO   *
    *                  (Simple and Protected GSSAPI Negotiation    *
    *                  Mechanism) single-sign on                   *
    ****************************************************************
    * PROBLEM DESCRIPTION: SPNEGO single sigh-on does not work     *
    *                      if alias hostname is dynamically        *
    *                      added after Server startup.             *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When http request comes in for an alias host, when the
    alias hostname resolves to a host that is configured for
    SPNEGO single sign-on,  WebSphere does not proceed since
    hostname is not matching.
    

Problem conclusion

  • Code is updated to perform DNS lookup as http request comes
    in. After this APAR, if the alias hostname is resolved
    hostname that is already configured for SPNEGO single sign-on,
    WebSphere Application Server continues to process it.
    
    Note: This APAR requires following configuration in addition
    to working SPNEGO-TAI Single-SignOn environment.
    
    1. Define actual/real hostname for this variable:
    com.ibm.ws.security.spnego.SPNx.hostName
    
    From administration console:
    (V6.1) Secure administration, applications, and infrastructure
    > Trust association > Interceptors >
    com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl >
    Custom Properties
    (V7.0) Global security > (Web and SIP security) > Trust
    association > Interceptors >
    com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl >
    Custom Properties
    
    Add/modify the following variable:
    com.ibm.ws.security.spnego.SPNx.hostName=real.host.name
    
    Although it is OK to have alias hostname defined, only real
    hostname has to be defined since WebSphere resolves the alias
    hostname to real host name as HTTP request comes in.
    
    2. Turn on Canonical support flag.
    From administration console:
    (V6.1) Secure administration, applications, and infrastructure >
    Custom properties
    (V7.0) Global security > Custom properties
    
    Add/modify the following variable and set it to "true":
    com.ibm.websphere.security.krb.canonical_host = true
    
    3. Configure browser:
    On the browser on the client machine,  alias hostname needs
    to be configured as trusted host
    Internet Explorer: Tools -> Internet options
    -> Security (tab) -> Local intranet -> sites -> advanced ->
    (add alias hostname here)
    Firefox : "About:config"-> confirm ->
    network.negotiate-auth.trusted-uris ->  Add alias hostname in
    there (separate hostnames with ",")
    
    4. Make sure real host name is added to the keytab file.
    If com.ibm.websphere.security.krb.canonical_host is set to
    "true" (as instructed earlier) WebSphere expects real host name
    to be in the keytab files. Aliases are not necessary.
    On the other hand, if
    com.ibm.websphere.security.krb.canonical_host  is set to false
    and aliases are defined, aliases need to be present in the
    keytab file.
    
    Note: It is usually not required to add alias hostname to SPN
    account. However some configuration might require this
    additional step. (setspn /A HTTP/dns-alias userid)
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 6.1.0.27 and 7.0.0.5.  Please refer to the
    Recommended Updates
    page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PK84184

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    60W

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2009-04-06

  • Closed date

    2009-05-18

  • Last modified date

    2009-11-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R61A PSY

       UP

  • R61H PSY

       UP

  • R61I PSY

       UP

  • R61P PSY

       UP

  • R61S PSY

       UP

  • R61W PSY

       UP

  • R61Z PSY

       UP

  • R700 PSY

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Application Server
General

Software version:

6.0

Reference #:

PK84184

Modified date:

2009-11-18

Translate my page

Machine Translation

Content navigation