PK30496: WEBSPHERE FOR Z/OS SECURITY METHOD SAFREGISTRYIMPL.ISVALIDUSER()RETURNS TRUE FOR A REVOKED USERID.

 Fixes are available

6.1.0.15 WebSphere Application Server V6.1 Fix Pack 15 for i5/OS
6.1.0.13 WebSphere Application Server V6.1 Fix Pack 13 for AIX
6.1.0.15 WebSphere Application Server V6.1 Fix Pack 15 for AIX
6.1.0.15: WebSphere Application Server V6.1 Fix Pack 15 for HP-UX
6.1.0.15: WebSphere Application Server V6.1 Fix Pack 15 for Windows
6.1.0.13: WebSphere Application Server V6.1 Fix Pack 13 for Windows
6.1.0.17 WebSphere Application Server V6.1 Fix Pack 17 for i5/OS
6.1.0.13: WebSphere Application Server V6.1 Fix Pack 13 for i5/OS
6.1.0.13: WebSphere Application Server V6.1 Fix Pack 13 for HP-UX
6.1.0.17: WebSphere Application Server V6.1 Fix Pack 17 for Linux
6.1.0.17: WebSphere Application Server V6.1 Fix Pack 17 for Solaris
6.1.0.17: WebSphere Application Server V6.1 Fix Pack 17 for HP-UX
6.1.0.17: WebSphere Application Server V6.1 Fix Pack 17 for Windows
6.1.0.17 WebSphere Application Server V6.1 Fix Pack 17 for AIX
6.1.0.13: WebSphere Application Server V6.1 Fix Pack 13 for Solaris
6.1.0.15: WebSphere Application Server V6.1 Fix Pack 15 for Linux
6.1.0.15: WebSphere Application Server V6.1 Fix Pack 15 for Solaris
6.1.0.9 WebSphere Application Server V6.1 Fix Pack 9 for AIX
6.1.0.9: WebSphere Application Server V6.1 Fix Pack 9 for i5/OS
6.1.0.9: WebSphere Application Server V6.1 Fix Pack 9 for HP-UX
6.1.0.9: WebSphere Application Server V6.1 Fix Pack 9 for Linux
6.1.0.9: WebSphere Application Server V6.1 Fix Pack 9 for Solaris
6.1.0.9: WebSphere Application Server V6.1 Fix Pack 9 for Windows
6.1.0.11: WebSphere Application Server V6.1 Fix Pack 11 for HP-UX
6.1.0.11: WebSphere Application Server V6.1 Fix Pack 11 for Windows
6.1.0.11: WebSphere Application Server V6.1 Fix Pack 11 for Solaris
6.1.0.11: WebSphere Application Server V6.1 Fix Pack 11 for Linux
6.1.0.11: WebSphere Application Server V6.1 Fix Pack 11 for i5/OS
6.1.0.11 WebSphere Application Server V6.1 Fix Pack 11 for AIX
6.1.0.13: WebSphere Application Server V6.1 Fix Pack 13 for Linux
6.1.0.19 WebSphere Application Server V6.1 Fix Pack 19 for AIX
6.1.0.19: WebSphere Application Server V6.1 Fix Pack 19 for HP-UX
6.1.0.19 WebSphere Application Server V6.1 Fix Pack 19 for i5/OS
6.1.0.19: WebSphere Application Server V6.1 Fix Pack 19 for Linux
6.1.0.19: WebSphere Application Server V6.1 Fix Pack 19 for Solaris
6.1.0.19: WebSphere Application Server V6.1 Fix Pack 19 for Windows
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server



APAR status
Closed as program error.

Error description
The customer has implemented a Trust Association Interceptor
(TAI) which asserts to WAS Z/OS that incoming requests
belong to a valid RACF userid. Later in processing, WAS
throws an exception because the RACF userid (IBMUSER in this
case) has been revoked.
.
A security trace (com.ibm.ws.security.*=all=enabled) shows
.
BBOS0108E Credential handling function RunAsGetSpecCredAuth
failed in Routine IRRSIA00 with SAF Return Code (hex): 8,
RACF Return Code (hex): 8, and RACF Reason Code (hex): 1c.
.
Trace: 2006/05/29 13:01:54.210 01 t=7B6E88 c=310.2 key=P8
FunctionName: com.ibm.ws.security.registry.zOS.SAFRegistryImpl
SourceId: com.ibm.ws.security.registry.zOS.SAFRegistryImpl
Category: ERROR
ExtendedMessage: SECJ0055E: Authentication failed for IBMUSER.
The user id may not exist, the account could have expired or
disabled.
.
The ID asserted by the TAI does exist in the user registry, but
the it cannot be authenticated successfully.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V6.1.0 for z/OS                              *
****************************************************************
* PROBLEM DESCRIPTION: SAFRegistryImpl.isValid() returns true  *
*                      for revoked users.                      *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Determining if a user is valid is on z/OS is done using the
getpwent service. However getpwent returns information for
revoked users.  In order to detect that during an ID assertion
login, we have to attempt to create an ACEE.  A new custom
property was introduced to force WAS to build a  RACO/ACEE
instead of calling getpwent.
Problem conclusion
A new custom property called
force.credential.creation.for.validation was added at the
registry level to force the creation of an ACEE or find the
ACEE of the user from the cache during ID assertion logins to
prevent obtaining information for users that have been revoked.

APAR PK30496 requires changes WebSphere Application Server
for z/OS V6.1.0 documentation.

NOTE: Periodically, we refresh the documentation on our
Web site, so the changes might have been made before you
read this text. To access the latest on-line
documentation, go to the product library page at:


http://www.ibm.com/software/webservers/appserv/was/library/

The V6.1.0 WebSphere Application Server for z/OS
Information Center article "Local operating system settings"

will be updated to include the following
descriptions of the new custom property:

force.credential.creation.for.validation property.
Setting this property will force the creation of an access
control environment elements (ACEE) or find the ACEE of the
user from the cache during ID assertion login to prevent
obtaining information for users that have been revoked.
Forcing the creation of credentials all the time will cause a
decrease in performance.

APAR PK30496 is currently targeted for inclusion in Service
Level (Fix Pack) 6.1.0.9 of WebSphere Application Server
V6.1.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PK30496
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 610
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2006-08-24
Closed date 2007-05-03
Last modified date 2007-07-04

APAR is sysrouted FROM one or more of the following:
PK26104

APAR is sysrouted TO one or more of the following:

Modules/Macros

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSN    UP
R601 PSN    UP
R610 PSY UK25977    UP07/06/26 P F706

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PK30496.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 610
Software edition:
Reference #: PK30496
IBM Group: Software Group
Modified date: Jul 4, 2007