APAR status
Closed as program error.
Error description
Identity name extracted from fred@ibm@customRealm is incorrect.
According to CSIv2 specs, in case of @ within the name_value
the GSS name should contain a '\' before @, so the expected the
name propagated to the downstream server would be
fred\@ibm@customRealm. It seems that WSAS 5.1.1.1 doesn't
comply with CSIv2 specifications.
-
The export target name is seen in the trace as:
■GSSFactory.decodeExportedTargetName, ■ServerID: server1
Found exported target name: fred@ibm@customRealm
The APAR is related to
PQ97493.
Local fix
Keywords: Identityassertion specification ampersand slash
security websphere
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users who have *
* enabled security. *
****************************************************************
* PROBLEM DESCRIPTION: '@' characters in a user name are not *
* properly escaped for Identity Assertion *
* via CSIv2. *
****************************************************************
* RECOMMENDATION: *
****************************************************************
According to CSIv2 specs, in case of '@' within the name_value,
the GSS name a '\' must precede the '@', prior to
propagating to the downstream server. WebSphere does not
comply with this CSIv2 specification.
Problem conclusion
Proper escaping (inserting a preceeding '\') of the '@' in
security name has been added.
The fix for this APAR is currently targeted for inclusion in
fixpack 5.0.2.10 and 5.1.1.4. Please refer to the Recommended
Updates page for delivery dates:
http://www-1.ibm.com/support/docview.wss?rs=180&context=
SSEQTP&uid=swg27004980
Temporary fix
Provided test fix.
Comments
APAR information |
APAR number |
PQ98000 |
Reported component name |
WAS BASE 5.0 |
Reported component ID |
5630A3600 |
Reported release |
00W |
Status |
CLOSED PER |
PE |
NoPE |
HIPER |
NoHIPER |
Special Attention |
NoSpecatt |
Submitted date |
2004-12-06 |
Closed date |
2005-01-28 |
Last modified date |
2005-01-28 |
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
Publications Referenced
Applicable component levels |
R003 PSY |
UP |
R00A PSY |
UP |
R00H PSY |
UP |
R00I PSY |
UP |
R00P PSY |
UP |
R00S PSY |
UP |
R00W PSY |
UP |
R103 PSY |
UP |
R10A PSY |
UP |
R10H PSY |
UP |
R10I PSY |
UP |
R10P PSY |
UP |
R10S PSY |
UP |
R10W PSY |
UP |
|