PK38114: User registry check being invoked from Login Modules from a propagation Login in the Servant region

 Fixes are available

6.1.0.15 WebSphere Application Server V6.1 Fix Pack 15 for i5/OS
6.1.0.13 WebSphere Application Server V6.1 Fix Pack 13 for AIX
6.1.0.15 WebSphere Application Server V6.1 Fix Pack 15 for AIX
6.1.0.15: WebSphere Application Server V6.1 Fix Pack 15 for HP-UX
6.1.0.15: WebSphere Application Server V6.1 Fix Pack 15 for Windows
6.1.0.13: WebSphere Application Server V6.1 Fix Pack 13 for Windows
6.1.0.17 WebSphere Application Server V6.1 Fix Pack 17 for i5/OS
6.1.0.13: WebSphere Application Server V6.1 Fix Pack 13 for i5/OS
6.1.0.13: WebSphere Application Server V6.1 Fix Pack 13 for HP-UX
6.1.0.17: WebSphere Application Server V6.1 Fix Pack 17 for Linux
6.1.0.17: WebSphere Application Server V6.1 Fix Pack 17 for Solaris
6.1.0.17: WebSphere Application Server V6.1 Fix Pack 17 for HP-UX
6.1.0.17: WebSphere Application Server V6.1 Fix Pack 17 for Windows
6.1.0.17 WebSphere Application Server V6.1 Fix Pack 17 for AIX
6.1.0.13: WebSphere Application Server V6.1 Fix Pack 13 for Solaris
6.1.0.15: WebSphere Application Server V6.1 Fix Pack 15 for Linux
6.1.0.15: WebSphere Application Server V6.1 Fix Pack 15 for Solaris
6.1.0.9 WebSphere Application Server V6.1 Fix Pack 9 for AIX
6.1.0.9: WebSphere Application Server V6.1 Fix Pack 9 for i5/OS
6.1.0.9: WebSphere Application Server V6.1 Fix Pack 9 for HP-UX
6.1.0.9: WebSphere Application Server V6.1 Fix Pack 9 for Linux
6.1.0.9: WebSphere Application Server V6.1 Fix Pack 9 for Solaris
6.1.0.9: WebSphere Application Server V6.1 Fix Pack 9 for Windows
6.1.0.11: WebSphere Application Server V6.1 Fix Pack 11 for HP-UX
6.1.0.11: WebSphere Application Server V6.1 Fix Pack 11 for Windows
6.1.0.11: WebSphere Application Server V6.1 Fix Pack 11 for Solaris
6.1.0.11: WebSphere Application Server V6.1 Fix Pack 11 for Linux
6.1.0.11: WebSphere Application Server V6.1 Fix Pack 11 for i5/OS
6.1.0.11 WebSphere Application Server V6.1 Fix Pack 11 for AIX
6.1.0.13: WebSphere Application Server V6.1 Fix Pack 13 for Linux
6.1.0.19 WebSphere Application Server V6.1 Fix Pack 19 for AIX
6.1.0.19: WebSphere Application Server V6.1 Fix Pack 19 for HP-UX
6.1.0.19 WebSphere Application Server V6.1 Fix Pack 19 for i5/OS
6.1.0.19: WebSphere Application Server V6.1 Fix Pack 19 for Linux
6.1.0.19: WebSphere Application Server V6.1 Fix Pack 19 for Solaris
6.1.0.19: WebSphere Application Server V6.1 Fix Pack 19 for Windows
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server



APAR status
Closed as program error.

Error description
When a RMI/IIOP client is authenticating with WebSphere using
CSI to invoke an application, a propagation Login in the Servant
region may incorrectly invoke a user registry check.

Because this is a propagation Login, the following method will
return false for any Custom Login Module:
((WSTokenHolderCallback)callbacks[ 0 ]).getRequiresLogin().
During this Login, any WebSphere Login Modules, for example,
ltpaLoginModule incorrectly will try to authenticate the user
again using the user registry. Since an initial Login has
already been performed, WebSphere should not invoke a user
registry check again.

Without this fix, a security trace will show that for this
Servant region Login, the following information is available :

<cut>
ExtendedMessage: uid = <the userid>
ExtendedMessage: realm = <the realm>
ExtendedMessage: password = XXXXXXXX
ExtendedMessage: cred token = <null>
ExtendedMessage: X509 cert chain = null
ExtendedMessage: authz token list =XXXXXXX;XXXXXXX;XXXXXXX;(and
so on)
</cut>

Having the above combination of information available during the
Login causes the LoginModule to invoke a user registry check
again.

Some customer may not actually have the user in the user
registry, in those cases, they will see errors similar to the
following :

<cut>
Trace: 2007/01/03 12:40:29.077 01 t=6C87B8 c=0.C key=P8
(13007002)
ThreadId: 00000044
FunctionName: loginImpl
SourceId: com.ibm.websphere.wim.exception
Category: SEVERE
ExtendedMessage:
com.ibm.websphere.wim.exception.PasswordCheckFailedException:
CWWIM4537E
No principal is found from the '<user name>' principal name.
</cut>
Local fix
: NONE
Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V6.1 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: A custom login module was being used,   *
*                      that added the WSCredentials UniqueID   *
*                      and UserID to the subjects Public       *
*                      credentials, to bypass the user         *
*                      registry check. However, the user       *
*                      registry check was being invoked, and   *
*                      the folowing message issued:            *
*                      CWWIM4537E No principal is found from   *
*                      the 'superuser' principal name. The     *
*                      message was issued because we were      *
*                      not aware that this was a propagation   *
*                      situation.                              *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The propogation token was not being saved in the
CSIServerRIBase class.
Problem conclusion
The CSIServerRIBase class was changed to look for and save the
clients authentication token at the end of authentication in
the finishSessionProcessingForFilter method.

APAR PK38114 is currently targeted for inclusion in Service
Level (Fix Pack) 6.1.0.8 of WebSphere Application Server V6.1
for z/OS
See 
PK46513 for complete fix.
Temporary fix Comments
APAR information
APAR number PK38114
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 610
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2007-01-26
Closed date 2007-04-09
Last modified date 2007-06-06

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
SECURITY          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSN    UP
R601 PSN    UP
R610 PSY UK24627    UP07/05/11 P F705

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PK38114.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 610
Software edition:
Reference #: PK38114
IBM Group: Software Group
Modified date: Jun 6, 2007