PQ85539: CUSTOM TRUST ASSOCIATION INTERCEPTOR CLASSNAME FOR LTPA IS UPDATED INCORRECTLY UNDER ICSF.

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
During the configuration of the custom trust association
interceptor, incase the customer is not using the default
interceptor which is
com.ibm.ws.security.web.WebSealTrustAssociationInterceptor
and is adding a new interceptor with a new interceptor classname
under the security authentication mechanism of LTPA, the new
interceptor is not picked up and the default one is used.
.
This happens because the security.xml file does not contain a
unique tag for trustAssociation, it is:
<trustAssociation xmi:id="TrustAssociation_1"
for both LTPA and ICSF.
.
This tag needs to be changed to have a unique tag.
Local fix
Manually edit the security.xml file to change the
xmi:id on the trustAssociation tag to something unique
(different from TrustAssociation_1) like:
<trustAssociation xmi:id="TrustAssociation_2"
.
Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: Custom trust association interceptor    *
*                      classname for LTPA is updated           *
*                      incorrectly under ICSF causing the      *
*                      default WebSeal interceptor to be       *
*                      used for LTPA.                          *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When customers try to configure their own trust association
interceptor while using Global Security, with the authentication
mechanism of LTPA (using the following path via administrative
console)
Security ->
Authentiacation Mechanisms ->
LTPA ->
Trust Association ->
Interceptors ->
New ->

This fails regardless of what is put into the Interceptor
Classname field in the administrative console. The
administrative console accepts the new interceptor classname,
however the security.xml file still reflects the default trust
association interceptor class under the LTPA clause. This
default class is:
com.ibm.ws.security.web.WebSealTrustAssociationInterceptor
This happens because the trustAssociation tags have identical
xmi:id values (TrustAssociation_1) for LTPA and ICSF:
<trustAssociation xmi:id="TrustAssociation_1".
The two xmi:id values should be unique.
The following tracepoint is seen in the servant with
com.ibm.ws.security.*=all=enabled tracing turned on

Trace: 2004/02/25 15:46:03.247 01 t=9E6B60 c=UNK key=P8
(13007002)
FunctionName: com.ibm.ws.security.web.TAIWrapper
SourceId: com.ibm.ws.security.web.TAIWrapper
Category: DEBUG
ExtendedMessage: Trust association class name:
com.ibm.ws.security.web.WebSealTrustAssociationInterceptor

The tags need to be unique.
Problem conclusion
Dialog skeleton files for security.xml will be updated so that
the xmi:id tags are unique.

APAR PQ85539 is associated with SERVICE LEVEL W502006 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ85539
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-03-04
Closed date 2004-04-08
Last modified date 2006-02-28

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ87201    UP04/04/19 P F404

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ85539.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ85539
IBM Group: Software Group
Modified date: Feb 28, 2006