A fix is available
APAR status
Closed as program error.
Error description
A non-z/OS WebSphere client attempting to make an RMI-IIOP call to a remote WebSphere z/OS server surfaces a JSAS1477W message when non-z/OS WebSphere client has CSIv2 basic authentication outbound set to required, and remote z/OS WebSphere server has CSIv2 basic authentication inbound set to required. Identity assertion is enabled on both client and remote server. Below is an example of a CSIv2 configuration that surfaces this error. Client non-z/OS WebSphere setup is: ----- Secure administration, applications, and infrastructure > CSIv2 outbound authentication Basic authentication = Required Client certificate authentication = Never Identity assertion = Checked Specify an alternative trusted identity User = USERID Stateful sessions = checked Custom outbound mapping = unchecked Security attribute propagation = checked ---- Remote z/OS WebSphere setup is: ----- Secure administration, applications, and infrastructure > CSIv2 inbound authentication Basic authentication = Required Client certificate authentication = Never Identity assertion = Checked Trusted identities User = USERID Stateful sessions = checked Security attribute propagation = checked ----- The client fails resulting in following message to non-z/OS WebSphere client SystemOut.log JSAS1477W: SECURITY CLIENT/SERVER CONFIG MISMATCH: The client security configuration (sas.client.props or outbound settings in GUI) does not support the server security configuration for the following reasons: ERROR 1: JSAS0612E: The client requires client authentication (e.g., userid/password or token), but the server does not support it. ERROR 2: JSAS0614E: The authentication mechanism OID supplied by the server is an unsupported OID for this WebSphere release.
Local fix
If security requirements of client server allow for basic authentication outbound supported, change required to supported. In the administrative console: ----- Secure administration, applications, and infrastructure > CSIv2 outbound authentication Basic authentication = Supported -----
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server V7.0 * * * **************************************************************** * PROBLEM DESCRIPTION: For WebSphere Application Server for * * z/OS, a client process attempting to * * locate a resource in a WebSphere * * Application Server for z/OS process * * is not able to obtain such resource * * when CSIv2 client authentication is * * required by the client. * * * **************************************************************** * RECOMMENDATION: * **************************************************************** For WebSphere Application Server for z/OS, the location daemon does not support client authentication. A client that requires client authentication fails to send the CSIv2 message and the resource is not located. The client fails with an error message as follows, JSAS1477W: SECURITY CLIENT/SERVER CONFIG MISMATCH: The client security configuration (sas.client.props or outbound settings in GUI)does not support the server security configuration for the following reasons: ERROR 1: JSAS0612E: The client requires client authentication (e.g., userid/password or token), but the server does not support it. ERROR 2: JSAS0614E: The authentication mechanism OID supplied by the server is an unsupported OID for this WebSphere release.
Problem conclusion
The security code was modified to allow the client to send the CSIv2 request to the location daemon when client authentication is required by the client. APAR PM23577 is currently targeted for inclusion in Service Level (Fix Pack) 7.0.0.13 of WebSphere Application Server V7.0. Please refer to URL: //www.ibm.com/support/docview.wss?rs=404&uid=swg27006970 for Fix Pack availability.
Temporary fix
Comments
APAR Information
APAR number
PM23577
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-09-30
Closed date
2010-10-06
Last modified date
2010-11-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
BBGUBINF BBOUBINF
Fix information
Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500
Applicable component levels
R700 PSY UK61146
UP10/10/21 P F010
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
10 February 2022