IBM Support

PH20055: Provide an option to add KRBAuthnToken to Subject.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • The API buildSpnegoAuthorizationFromCallerSubject() in
    SpnegoTokenHelper fails intermittently due to the lack of
    KRBAuthnToken in the Subject.
    
    -- Sample error stack ----
    Caused by: org.ietf.jgss.GSSException, major code: 13, minor
    code: 0
    major string: Invalid credentials
    minor string: None
    at
    com.ibm.wsspi.security.token.SpnegoTokenHelper.buildSpnegoAuthor
    ization(SpnegoTokenHelper.java:556)
    at
    com.ibm.wsspi.security.token.SpnegoTokenHelper.access$400(Spnego
    TokenHelper.java:60)
    at
    com.ibm.wsspi.security.token.SpnegoTokenHelper$3.run(SpnegoToken
    Helper.java:302)
    at
    java.security.AccessController.doPrivileged(AccessController.jav
    a:703)
    at
    com.ibm.wsspi.security.token.SpnegoTokenHelper.buildSpnegoAuthor
    izationFromSubject(SpnegoTokenHelper.java:289)
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server who propagates KRBAuthnToken         *
    *                  outbound.                                   *
    ****************************************************************
    * PROBLEM DESCRIPTION: SpnegoTokenHeper APIs fails             *
    *                      intermittently due to the lack of       *
    *                      KRBAuthnToken in the subject.           *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When an initial Spnego Single Sign-On happens, WebSphere
    authenticates incoming SPNEGO token and creates a Subject for
    the user.  This Subject contains KRBAuthnToken.
    After the authentication, WebSphere creates LtpaToken, then
    save the Subject in its internal Subject cache using the
    LtpaToken as a key,
    WebSphere sends back the LtpaToken back in the
    http response. This LtpaToken is subsequently used for
    authentication between browser and the WebSphere server.
    When the cached Subject is timed out, WebSphere needs to
    reconstruct the Subject using the incoming LtpaToken only.
    Since LtpaToken does not have Kerberos information,
    reconstructed Subject does not contain KRBAuthnToken.
    This is working as designed.  The user is required to
    re-authenticate using SPNEGO token. Most of the time a
    new SPNEGO token comes in before the Subject goes away.
    Depending on cache and token timeout combination, there could
    be a small time window that LtpaToken comes in early and Spnego
    token reauthentication happens a little later.
    During this small window, SpnegoTokenHelper
    would fail as the Subject is reconstructed by LtpaToken and
    lacks KRBAuthnToken.
    

Problem conclusion

  • An option is introduced to look for KRBAuthnToken from a
    private cache that contains the KRBAuthnToken.
    
    By default, this cache only looked up when kerberos
    authentication is configured.  However, following custom
    property will make WebSphere look for KRBAuthnToken in the
    cache even when Kerberos authentication is not enabled.
    
    custom property:
    com.ibm.websphere.security.setKrbAuthnToken.if.cacheHit
    value: true (default is false)
    
    Notes:
    1. The outcome of this custom property will be different
    depending on the ltpaToken timeout and kerberos ticket
    timeout.
    2. As this option changes the content of Subject, it is
    possible that loginModules or TrustAssociation that use
    Kerberos token can behave differently. Before turning on
    the property, make sure other components are not affected.
    
    The fix for this APAR is targeted for inclusion in fix pack
    8.5.5.17 and 9.0.5.3
    .  For more information, see 'Recommended Updates for
    WebSphere Application Server':
    http://www.ibm.com/support/docview.wss?
    rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH20055

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-12-08

  • Closed date

    2020-01-07

  • Last modified date

    2020-01-07

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels



Document information

More support for: WebSphere Application Server
General

Software version: 850

Reference #: PH20055

Modified date: 07 January 2020