PQ61389: SSO (SINGLE SIGNON) FROM WEBSPHERE APPLICATION SERVER (WAS) TO DOMINO SERVER FAILS WHEN THE USER NAME CONTAINS DBCS

A fix is available
WebSphere Application Server Version 3.5 Fix Pack 7 (3.5.7)

APAR

APAR status
Closed with unknown close code.

Error description
With user info( such as first name or last name)
in DBCS chinese characters, after login to
the WPS or WAS successfuly, then when access the
domino web server, domino will challege the user
with a login page with  error msg
"Your session with the server has expired or is invalid".
But when SSO from one WPS server to the other WPS server
 or SSO from one WAS server to the other WAS was fine.
when the user info totally in english charcters (SBCS),
the SSO from WAS or WPS to domino is fine, and so do
from domino to WAS/WPS is fine.   The problem only happens
 when user info has chinese field ( uid is in english, but
 first name or last name is in chinese DBCS chars ).
.
WAS Change Team (L3) supplied an efix and it fixed the problem.
.
The root cause for this defect is that WebSphere and Domino
calculate digital signature differently if user name
contains dbcs. While converting user name to byte array to
calculate digital signature,websphere treated every character
 as single byte character. With this fix, Websphere is now
 using UTF8 to calculate digital signature.
Local fix
request a copy of the efix from WAS C/T.
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server security        *
*                 customers who use double byte characters     *
*                 in user's security name.                     *
****************************************************************
* PROBLEM DESCRIPTION: SSO between WebSphere and non           *
*                      WebSphere products(such as Domino)      *
*                      fails if user security name contains    *
*                      double byte characters.                 *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
SSO between websphere and non WebSphere products fails if
security name contains double byte character. The root cause
is was a difference in algorithms used to create digital
signatures.
Problem conclusion
Change WebSphere security to follow UTF8 conversion rule to
calculate digital signature. First using UTF8 rule to convert
user name to a byte array, then caclulate digital signature
from the byte array.
Temporary fix
provide test eFix
Comments
APAR information
APAR numberPQ61389
Reported component nameWEBSPHERE AE AI
Reported component ID5648C8400
Reported release350
StatusCLOSED
PENoPE
HIPERNoHIPER
Submitted date2003-03-03
Closed date2003-03-03
Last modified date2003-03-17

APAR is sysrouted FROM one or more of the following:
PQ66136

APAR is sysrouted TO one or more of the following:APAR is sysrouted FROM one or more of the following:PQ66136APAR is sysro


Modules/Macros
SECURITY
uted TO one or more of the following:Modules/Macros

Fix information
Fixed component nameWEBSPHERE AE AI
Fixed component ID5648C8400

Applicable component levels
R400 PSYUP











Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, General
Software version: 350
Reference #: PQ61389
IBM Group: Software Group
Modified date: 2003-03-17