APAR status
Closed as program error.
Error description
SSO does not work between WebSphere (3.5x or 4.0x) and WebSphere
5.0.2 when the LTPA key was generated with no default LDAP Port.
In 3.5x and 4.0x, when no default port is defined, the realm as
defined in the LTPA key, simply has the LDAP host name.
(e.g. com.ibm.websphere.ltpa.Realm=trial75.austin.ibm.com)
In 5.0.2, when no default port is defined, the realm has the
LDAP host name and port 389 appended.
(e.g. com.ibm.websphere.ltpa.Realm=trial75.austin.ibm.com:389)
LOCAL FIX:
One way to work around this is to generate the LTPA keys with a
specific port number defined. This LTPA key can be exported from
1 WebSphere system and imported into the other.
Problems may arise for users and groups on 3.5x systems where
the users were assigned to roles while the LTPA was defined with
no ports. Once a port has been defined on the 3.5.x and a new
key generated, the users and groups may have to be re-assigned
to roles because the accessID's would have changed.
It may be possible to install 3.5x or 4.0x LTPA keys into
WebSphere 5.0.2 and then manually remove the ":389" port setting
from in the security.xml. This may prevent the need for
re-assigning users & groups to roles. (currently untested)
Local fix
Regenerate LTPA keys with ldap server port specifically defined.
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users who have *
* enabled security and configured LDAP as the *
* user registry. *
****************************************************************
* PROBLEM DESCRIPTION: If a port for the LDAP server is not *
* specified, the security realm is not *
* compatible with previous versions of *
* WebSphere. *
****************************************************************
* RECOMMENDATION: *
****************************************************************
If a port for the LDAP server is not specified, the security
realm is not compatible with previous versions of WebSphere.
Previously, the realm would be the host name of the LDAP
server. If a port is now not specified, a ":0" is appended to
the host name. This realm does not match the prevous realm
causing SSO to fail with previous releases.
Problem conclusion
If a port is not specified, the realm is now the LDAP host.
Temporary fix
test fix provided
Comments
APAR information |
APAR number |
PQ86930 |
Reported component name |
WAS NETWRK DEPL |
Reported component ID |
5630A3601 |
Reported release |
00S |
Status |
CLOSED PER |
PE |
NoPE |
HIPER |
NoHIPER |
Special Attention |
NoSpecatt |
Submitted date |
2004-03-31 |
Closed date |
2004-04-26 |
Last modified date |
2004-04-26 |
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
Publications Referenced
Applicable component levels |
R003 PSY |
UP |
R00A PSY |
UP |
R00H PSY |
UP |
R00I PSY |
UP |
R00P PSY |
UP |
R00S PSY |
UP |
R00W PSY |
UP |
R103 PSY |
UP |
R10A PSY |
UP |
R10H PSY |
UP |
R10I PSY |
UP |
R10P PSY |
UP |
R10S PSY |
UP |
R10W PSY |
UP |
|