PK15731: PROBLEM USING NLV CHARACTERS W/ IDS AND PASSWORDS AND USING BASIC AUTHENTICATION

 A fix is available

PK15731; 5.1.1.7: Problem using NLV characters with IDs and passwords



APAR status
Closed as program error.

Error description
The basic authentication used by the web browser fails when NLV
characters are used for the user id and/or password.

The problem is also seen when special characters are used
in the password. Failing characters are:
   ~!@#$%&#65450;&*\(\)-_+={}&#65517;&#65529;\|;:/?.,<>"'`

The following error may be seen in the systemout.log.
 SECJ0336E: Authentication failed for user
 cn=user0099,ou=user,dc=abc because of the following exception
  javax.naming.AuthenticationException: &#65517;LDAP: error code 49 -
  Invalid Credentials&#65529;
   -
Local fix
Don't use NLV characters for user id and passwords.
Search Keyword: LDAP LTPA security logon login
* # !
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server security        *
*                 users using HTTP basic authentication        *
****************************************************************
* PROBLEM DESCRIPTION: HTTP basic authentication may fail if   *
*                      authentication data contains national   *
*                      language special characters             *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When using HTTP basic authentication, user agent send Base64
encoded authentication data to server, and server has to
decode the authentication data before doing authentication.
Server used to use UTF-8 to decode the authentication data,
which causes problem if user agent uses different encoding to
encode the data. HTTP spec seems not clearly document how user
agent comminucates head encoding with server, and currently
there is no mechanism to reveal encoding used in request head.
Problem conclusion
With this fix, WebSphere Application server security uses
plateform default encoding to decode the Base64 encoded data
from user agent. Administrator should make sure the encoding
used in user agent to match the plateform default encoding.
The fix for this APAR is currently targeted for inclusion in
fixpack 5.0.2.14 and 5.1.1.8 and 6.0.2.4. Please refer to the
Recommended Updates page for delivery dates:

http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP
&uid=swg27004980
Temporary fix
Test fix provided
Comments
APAR information
APAR number PK15731
Reported component name WAS BASE 5.0
Reported component ID 5630A3600
Reported release 10A
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2005-11-23
Closed date 2005-11-23
Last modified date 2005-11-23

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
SECURITY          

Publications Referenced

Fix information
Fixed component name WAS BASE 5.0
Fixed component ID 5630A3600

Applicable component levels
R10A PSY    UP
R10H PSY    UP
R10I PSY    UP
R10P PSY    UP
R10W PSY    UP
R00A PSY    UP
R00H PSY    UP
R00I PSY    UP
R00P PSY    UP
R00W PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 10A
Software edition:
Reference #: PK15731
IBM Group: Software Group
Modified date: Nov 23, 2005