PQ61020: WAS 3.5.6 TRUST ASSOCIATION DOESN'T ALLOW OTHER TYPES OF AUTHENTICATION TO WORK

A fix is available
WebSphere Application Server Version 3.5 Fix Pack 7 (3.5.7)

APAR

APAR status
Closed as program error.

Error description
Environment:
WebSphere Application Server 3.5.6
.
Description:Environment:WebSphere Application Server 3.5.6.
Customer was using WAS 3.5.3, and when trust association is enabled, they are still able to authentication via other methods (basic, certificate, etc.). After upgrading to WAS 3.5.6, enabling trust association caused any authentication to be treated as if it is coming from WebSeal. As a result, authentication done via basic, certificate, etc. fail because they don't contain the header information that the trust association interceptor expects.
Description:Customer was using WAS 3.5.3, and when trust association isenabled, they are still able to authentication via other methods(basic, certificate, etc.). After upgrading to WAS 3.5.6,enabling trust association caused any authentication to betreated as if it is coming from WebSeal. As a result,authentication done via basic, certificate, etc. fail becausethey don't contain the header information that the trustassociation interceptor expects.
Local fix
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users who       *
*                 enable Trust Association with WebSeal.       *
****************************************************************
* PROBLEM DESCRIPTION: After Trust Association is enabled with *
*                      WebSeal, authentication fails if the    *
*                      request is not via WebSeal.             *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
After Trust Association is enabled with WebSeal,
authentication fails if the request is not from WebSeal.
If the request header contains a 'via' tag (even if
this tag has no value), authentication functioned as expected.
However, if the 'via' tag was missing, then authentication
fails.
Problem conclusion
The WebSeal Trust Association interceptor now checks if the
'via' tag value is not present and treats this condition the
same as if the 'via' tag was not present in the request
header.
Temporary fix
send a testing eFix to customer
Comments
APAR information
APAR numberPQ61020
Reported component nameWAS ADVANCED SU
Reported component ID5648C8402
Reported release350
StatusCLOSED PER
PENoPE
HIPERNoHIPER
Submitted date2002-05-10
Closed date2002-05-22
Last modified date2002-05-29

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:APAR is sysrouted FROM one or more of the following:

PQ61724PQ61737PQ61738

Modules/Macros
SECURITY
APAR is sysrouted TO one or more of the following:PQ61724PQ61737PQ61738Modules/Macros

Fix information
Fixed component nameWAS ADVANCED SU
Fixed component ID5648C8402

Applicable component levels
R350 PSYUP











Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, General
Software version: 350
Reference #: PQ61020
IBM Group: Software Group
Modified date: 2002-05-29