PH31682: OIDC RP MAY NOT LOAD CONFIG FROM A NON-DEFAULT SECURITY DOMAIN

A fix is available

PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters

APAR status

Closed as program error.

Error description

The OpenID Connect TAI may not load the correct configuration
when running on an application server that uses a Security
Domain that is not the default.  The TAI configuration from
the default Security Domain may be used instead.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  IBM WebSphere Application Server users of   *
*                  OpenId Connect and MSD                      *
****************************************************************
* PROBLEM DESCRIPTION: The OIDC TAI always loads the TAI       *
*                      configuration from the default Security *
*                      Domain.                                 *
****************************************************************
* RECOMMENDATION:  Install a interim fix or fix pack that      *
*                  contains                                    *
*                  this APAR.                                  *
****************************************************************
When the OpenID Connect (OIDC) Trust Association Interceptor
(TAI)
is running on a server that is using a Security Domain that is
not
the default Security Domain, the OIDC TAI may use the TAI
configuration for the default Security Domain instead of the
configured Security Domain.

Problem conclusion

When an application server starts, the trust association
interceptors for the default Security Domain initialize.
When
the
first request is received, if the server is in a different
Security Domain, the TAIs will be initialized again using
the
settings from that Security Domain.

When core security attempts to re-initialize the OIDC TAI
using
the new properties from the second Security Domain, they may
not
override all the properties from those set from the default
Security Domain.

The OIDC TAI is updated so that it will fully re-initialize
when
its initialize method is called the second time.

The fix for this APAR is targeted for inclusion in fix pack
8.5.5.20 and 9.0.5.7. For more information, see 'Recommended
Updates for WebSphere Application Server':
https://www.ibm.com/support/pages/node/715553

Temporary fix

Comments

APAR Information

APAR number
PH31682
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-11-13
Closed date
2020-12-07
Last modified date
2020-12-07

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800

Applicable component levels

R850 PSY
UP
R900 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
06 December 2021

Tips

PH31682: OIDC RP MAY NOT LOAD CONFIG FROM A NON-DEFAULT SECURITY DOMAIN

A fix is available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R850 PSY

R900 PSY

Document Information

Share your feedback

Need support?