PQ91754: Empty SSO domain name causes many security exceptions on server startup

 Fixes are available

5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for AIX
5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for Windows
5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for HP-UX
5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for Solaris
5.1.1.6: WebSphere Application Server Version 5.1.1 Cumulative Fix 6
5.1.1.7: WebSphere Application Server Version 5.1.1 Cumulative Fix 7
5.1.1.4: WebSphere Application Server Version 5.1.1 Cumulative Fix 4
5.1.1.1: WebSphere Application Server Express 5.1.1 Cumulative Fix 1
5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for Linux
5.1.1.1: WebSphere Application Server Version 5.1.1 Cumulative Fix 1



APAR status
Closed as program error.

Error description
On a 5.1.1 system, when the SSO domain name is left blank many
security errors are thrown during server startup, such as:

[7/12/04 14:51:40:353 BST] 5fcd9532 WebAttributes W SECJ0084W:
Error while initializing security web configuration.  The
exception is java.lang.NullPointerException

[7/12/04 14:51:40:381 BST] 5fcd9532 FormLoginServ E SECJ0119E:
Error getting the web app information for form login. The
exception is java.lang.RuntimeException

These happen before the open for e-business message.  After that
message, these errors are thrown:

[7/12/04 17:17:31:725 BST] 33269533 LdapRegistryI E SECJ0336E:
Authentication failed for user <username> because of the
following exception javax.naming.AuthenticationException:
[LDAP: error code 49 - Invalid Credentials]

[7/12/04 17:17:31:819 BST] 33269533 LdapRegistryI E SECJ0336E:
Authentication failed for user <username> because of the
following exception
[7/12/04 17:17:31:901 BST] 33269533 LTPAServerObj E SECJ0369E:
Authentication failed when using LTPA. The exception is .
[7/12/04 17:17:32:015 BST] 33269533 JaasLoginHelp A SECJ0222E:
An unexpected exception occurred when trying to create a
LoginContext. The LoginModule alias is system.DEFAULT and the
exception is .
[7/12/04 17:17:32:101 BST] 33269533 RoleBasedAuth E SECJ0306E:
No received or invocation credential exist on the thread. The
Role based authorization check will not have an accessId of the
caller to check. The parameters are: access check method
getProcessType on resource Server and module Server. The stack
trace is java.lang.Exception: dump thread stack for debugging

[7/12/04 17:17:32:126 BST] 33269533 RoleBasedAuth A SECJ0305I:
Role based authorization check failed for security name <null>,
accessId no_cred_no_access_id while invoking method
getProcessType on resource Server and module Server.

[7/13/04 10:30:05:324 BST] 2b009533 WebContainer  W SRVE0017W:
Web Group not found: admin_host/FileTransfer
[7/13/04 10:30:05:347 BST] 2b009533 OSEListenerDi E PLGN0021E:
Servlet Request Processor Exception: Virtual Host/WebGroup Not
Found : The web group admin_host/FileTransfer has not been
defined


Problem was reported on a 5.1.1 Network Deployment system.
Local fix
This has been identified as a problem with having a blank domain
name in the SSO domain name configuration.  A blank domain name
is allowed, but it is throwing these errors on 5.1.1.

To work around the problem, enter a valid domain name or use the
text string UseDomainFromURL as the domain name.
Problem summary
****************************************************************
* USERS AFFECTED: All WebSphere Application Server users who   *
*                 have enabled security and Single Sign On     *
*                 (SSO) but left the SSO Domain empty.         *
****************************************************************
* PROBLEM DESCRIPTION: On some systems, a SECJ0084W will       *
*                      occur repeatedly in the system.out      *
*                      log.                                    *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
On some systems, a SECJ0084W will occur repeatedly in the
system.out log.  A stack trace similar to the following will
also be seen in the logs:

java.lang.NullPointerException
 at com.ibm.ws.security.web.WebAttributes.initializeConfig
   (WebAttributes.java:651)
 at com.ibm.ws.security.web.WebAttributes.<init>
   (WebAttributes.java:116)
 at ...

The error was caused by the absence of the ssoDomain attribute
in the security configuration file security.xml.  This absence
cased a null value to be returned when a non-null value was
expected.
Problem conclusion
Configure an SSO domain.  If a blank value is what is
ultimately desired, configure a non-blank SSO domain, apply
then save the changes, then configure a blank domain and apply
then save the changes.  This will save the ssoDomain attribute
in security.xml.
Temporary fix Comments
APAR information
APAR number PQ91754
Reported component name WAS NETWRK DEPL
Reported component ID 5630A3601
Reported release 10A
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-07-21
Closed date 2004-08-09
Last modified date 2004-08-09

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
SECURITY          

Publications Referenced

Fix information

Applicable component levels
R00A PSY    UP
R10A PSY    UP
R10H PSY    UP
R10I PSY    UP
R10P PSY    UP
R10S PSY    UP
R10W PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 10A
Software edition:
Reference #: PQ91754
IBM Group: Software Group
Modified date: Aug 9, 2004