PQ94199: WITH TAI ENABLED, APPLICATION FAILS WITH ILLEGALSTATEEXCEPTION | |||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description Application with Trust Association Interceptor enabled, fails with the following: . BBOO0220E J2CA0079E: Method ThreadIdentitySecurityHelper.finalizeSubject() has detected an internal illegal state and is throwing an IllegalStateException. The exception is: java.lang.IllegalStateException: Unable to build valid j2cSubject .at com.ibm.ws.security.auth.j2c.WSLocalzOSExtensionImpl. getLocalOSInvocationSubject(WSLocalzOSExtensionImpl.java:173) .at com.ibm.ejs.j2c.ThreadIdentitySecurityHelper. finalizeSubject(ThreadIdentitySecurityHelper.java:381) .at com.ibm.ejs.j2c.ConnectionManager.allocateConnection (ConnectionManager.java:454) .at com.ibm.connector2.cics.CICSConnectionFactory.getConnection (CICSConnectionFactory.java:218) Other symptoms: Trace: 2004/08/10 05:50:23.628 01 t=9C9370 c=7.1 key=P8 (13007002) FunctionName: com.ibm.ws.security.registry.UserRegistryImpl SourceId: com.ibm.ws.security.registry.UserRegistryImpl Category: ENTRY ExtendedMessage: getOSCred Trace: 2004/08/10 05:50:23.629 01 t=9C9370 c=7.1 key=P8 (13007002) FunctionName: com.ibm.ws.security.registry.UserRegistryImpl SourceId: com.ibm.ws.security.registry.UserRegistryImpl Category: DEBUG ExtendedMessage: Not an instance of SAFRegistryImpl .. throw exception Trace: 2004/08/10 05:50:23.632 01 t=9C9370 c=7.1 key=P8 (13007002) FunctionName: com.ibm.ws.security.web.WebAuthenticator SourceId: com.ibm.ws.security.web.WebAuthenticator Category: DEBUG ExtendedMessage: Credential Mapping for TrustAssociation failed. Trace: 2004/08/10 05:50:23.633 01 t=9C9370 c=7.1 key=P8 (13007002) FunctionName: com.ibm.ws.security.web.WebAuthenticator SourceId: com.ibm.ws.security.web.WebAuthenticator Category: DEBUG ExtendedMessage: Error in mapping credential for Trust Association:xxxLocal fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: There is a failure when using a TAI * * (Trust Association Interceptor) for * * authenticating users in conjunction * * with an LDAP or custom registry. * **************************************************************** * RECOMMENDATION: * **************************************************************** Authentication using the TAI (Trust Association Interceptor) class does not work for LDAP or custom registry: ExtendedMessage: SECJ0336E: Authentication failed for user cn=xxxxx,o=yyyyy,c=zzzz because of the following exception javax.naming.AuthenticationException: LDAP: error code 49 - R004062 Credentials are not valid. (tdbm_bind.c 1.42 366) at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2750) at com.sun.jndi.ldap.LdapCtx.processReturnCode (LdapCtx.java:2696) at com.sun.jndi.ldap.LdapCtx.processReturnCode (LdapCtx.java:2497) Description: Log Boss/390 Error from filename: ./bborjtr.cpp at line: 820 error message: BBOO0220E SECJ0369E: Authentication failed when using LTPA. The exception is LDAP: error code 49 - R004062 Credentials are not valid. (tdbm_bind.c 1.42 366) . com.ibm.ws.security.ltpa.LTPAServerObject com.ibm.ws.security.ltpa.LTPAServerObject Problem introduced by PQ88559 in PTF W502005. When traces of the WebSphere security component are enabled you can find the following diagnostics : Trace: 2004/08/10 05:50:23.629 01 t=9C9370 c=7.1 key=P8 FunctionName: com.ibm.ws.security.registry.UserRegistryImpl SourceId: com.ibm.ws.security.registry.UserRegistryImpl Category: DEBUG ExtendedMessage: Not an instance of SAFRegistryImpl .. throw exception Trace: 2004/08/10 05:50:23.632 01 t=9C9370 c=7.1 key=P8 FunctionName: com.ibm.ws.security.web.WebAuthenticator SourceId: com.ibm.ws.security.web.WebAuthenticator Category: DEBUG ExtendedMessage: Credential Mapping for TrustAssociation failed. Trace: 2004/08/10 05:50:23.633 01 t=9C9370 c=7.1 key=P8 FunctionName: com.ibm.ws.security.web.WebAuthenticator SourceId: com.ibm.ws.security.web.WebAuthenticator Category: DEBUG ExtendedMessage: Error in mapping credential for Trust Association:xxxxxx =xxxxxxxxx, STIG S PS-5655I3500Problem conclusion There is no reason to obtain a local SAF credential when an LDAP or custom registry is being used. The code to obtain a local OS credential is no longer called if the configured registry is not SAF. APAR PQ94199 is associated with SERVICE LEVEL W502018 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: PQ93370 APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PQ94199.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ94199
IBM Group: Software Group
Modified date: Dec 2, 2004
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.