PQ94199: WITH TAI ENABLED, APPLICATION FAILS WITH ILLEGALSTATEEXCEPTION

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
Application with Trust Association Interceptor enabled, fails
with the following:
                                                            .
BBOO0220E J2CA0079E: Method
ThreadIdentitySecurityHelper.finalizeSubject() has detected an
internal illegal state and is throwing an IllegalStateException.
The exception is: java.lang.IllegalStateException: Unable to
build valid j2cSubject
.at com.ibm.ws.security.auth.j2c.WSLocalzOSExtensionImpl.
  getLocalOSInvocationSubject(WSLocalzOSExtensionImpl.java:173)
.at com.ibm.ejs.j2c.ThreadIdentitySecurityHelper.
  finalizeSubject(ThreadIdentitySecurityHelper.java:381)
.at com.ibm.ejs.j2c.ConnectionManager.allocateConnection
  (ConnectionManager.java:454)
.at com.ibm.connector2.cics.CICSConnectionFactory.getConnection
  (CICSConnectionFactory.java:218)

Other symptoms:

Trace: 2004/08/10 05:50:23.628 01 t=9C9370 c=7.1 key=P8
(13007002)
   FunctionName: com.ibm.ws.security.registry.UserRegistryImpl
   SourceId: com.ibm.ws.security.registry.UserRegistryImpl
   Category: ENTRY
   ExtendedMessage: getOSCred
Trace: 2004/08/10 05:50:23.629 01 t=9C9370 c=7.1 key=P8
(13007002)
   FunctionName: com.ibm.ws.security.registry.UserRegistryImpl
   SourceId: com.ibm.ws.security.registry.UserRegistryImpl
   Category: DEBUG
   ExtendedMessage: Not an instance of SAFRegistryImpl .. throw
   exception
 Trace: 2004/08/10 05:50:23.632 01 t=9C9370 c=7.1 key=P8
(13007002)
   FunctionName: com.ibm.ws.security.web.WebAuthenticator
   SourceId: com.ibm.ws.security.web.WebAuthenticator
   Category: DEBUG
   ExtendedMessage: Credential Mapping for TrustAssociation
failed.
 Trace: 2004/08/10 05:50:23.633 01 t=9C9370 c=7.1 key=P8
(13007002)
   FunctionName: com.ibm.ws.security.web.WebAuthenticator
   SourceId: com.ibm.ws.security.web.WebAuthenticator
   Category: DEBUG
   ExtendedMessage: Error in mapping credential for Trust
Association:xxx
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: There is a failure when using a TAI     *
*                      (Trust Association Interceptor) for     *
*                      authenticating users in conjunction     *
*                      with an LDAP or custom registry.        *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Authentication using the TAI (Trust Association Interceptor)
class does not work for LDAP or custom registry:

ExtendedMessage: SECJ0336E: Authentication failed for user
cn=xxxxx,o=yyyyy,c=zzzz because of the following exception
javax.naming.AuthenticationException:  LDAP: error code 49 -
R004062 Credentials are not valid. (tdbm_bind.c 1.42 366)
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2750)
at com.sun.jndi.ldap.LdapCtx.processReturnCode
(LdapCtx.java:2696)
at com.sun.jndi.ldap.LdapCtx.processReturnCode
(LdapCtx.java:2497)

Description: Log Boss/390 Error
from filename: ./bborjtr.cpp
at line: 820
error message:
BBOO0220E SECJ0369E: Authentication failed when using
LTPA. The exception is  LDAP: error code 49 - R004062
Credentials are not valid. (tdbm_bind.c 1.42 366) .
com.ibm.ws.security.ltpa.LTPAServerObject
com.ibm.ws.security.ltpa.LTPAServerObject

Problem introduced by PQ88559 in PTF W502005.
When traces of the WebSphere security component are
enabled you can find the following diagnostics :

Trace: 2004/08/10 05:50:23.629 01 t=9C9370 c=7.1 key=P8
 FunctionName: com.ibm.ws.security.registry.UserRegistryImpl
 SourceId: com.ibm.ws.security.registry.UserRegistryImpl
 Category: DEBUG
 ExtendedMessage: Not an instance of SAFRegistryImpl ..
 throw exception
Trace: 2004/08/10 05:50:23.632 01 t=9C9370 c=7.1 key=P8
 FunctionName: com.ibm.ws.security.web.WebAuthenticator
 SourceId: com.ibm.ws.security.web.WebAuthenticator
 Category: DEBUG
 ExtendedMessage: Credential Mapping for TrustAssociation
 failed.
Trace: 2004/08/10 05:50:23.633 01 t=9C9370 c=7.1 key=P8
 FunctionName: com.ibm.ws.security.web.WebAuthenticator
 SourceId: com.ibm.ws.security.web.WebAuthenticator
 Category: DEBUG
 ExtendedMessage: Error in mapping credential for Trust
 Association:xxxxxx
 =xxxxxxxxx, STIG S   PS-5655I3500
Problem conclusion
There is no reason to obtain a local SAF credential when an
LDAP or custom registry is being used.  The code to obtain a
local OS credential is no longer called if the configured
registry is not SAF.

APAR PQ94199 is associated with SERVICE LEVEL W502018 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ94199
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-09-14
Closed date 2004-11-12
Last modified date 2004-12-02

APAR is sysrouted FROM one or more of the following:
PQ93370

APAR is sysrouted TO one or more of the following:

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ95030    UP04/11/18 P F411

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ94199.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ94199
IBM Group: Software Group
Modified date: Dec 2, 2004