IBM Support

PH21008: OIDC RP: THE TAI IS COMPLETELY DISABLED IF ANY PROVIDER CONFIG FAILS TO INITIALIZE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When the OpenID Connect (OIDC) Relying Party (RP) Trust
    Association Interceptor (TAI) initializes, if any provider
    configuration fails to load correctly, the TAI will not be
    enabled.  If the TAI is configured for multiple providers, and
    at least one provider successfully passes config validation,
    the TAI should be enabled.
    
    The provider configuration entries in the OIDC TAI config
    are notated like provider.<id>.*.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server and OpenID Connect                   *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OIDC TAI will not initialize        *
    *                      successfully if any provider config     *
    *                      fails                                   *
    *                      to load.                                *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains                                    *
    *                  this APAR.                                  *
    ****************************************************************
    When the OIDC TAI performs initialization, if any provider
    config
    fails to load correctly, the TAI will report to the
    TrustAssociationManager that it has failed initialization.  This
    will result in the TAI being disabled.  No requests to the
    application server will be sent to the OIDC TAI by the
    TrustAssociationManager.
    

Problem conclusion

  • The TAI is updated so that it will only report to the
    TrustAssociationManager that it has failed initialization if
    there is a configuration error in the global configuration or if
    there are no provider configs that have initialized successfully
    
    If there is at least one provider config that has initialized
    successfully and the global configuration is good, the OIDC TAI
    will report to the TrustAssociationManager that has loaded
    successfully.
    
    When the TrustAssociationManager sends requests to the OIDC TAI,
    the TAI will only intercept requests for the provider configs
    that loaded successfully.  All the 'bad' configs will be
    completely ignored.
    
    The fix for this APAR is targeted for inclusion in fix pack
    8.5.5.18 and 9.0.5.3.  For more information, see 'Recommended
    Updates for WebSphere Application Server':
    http://www.ibm.com/support/docview.wss?  rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH21008

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-01-15

  • Closed date

    2020-01-21

  • Last modified date

    2020-09-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
07 December 2021