PQ85539: CUSTOM TRUST ASSOCIATION INTERCEPTOR CLASSNAME FOR LTPA IS UPDATED INCORRECTLY UNDER ICSF. | |||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description During the configuration of the custom trust association interceptor, incase the customer is not using the default interceptor which is com.ibm.ws.security.web.WebSealTrustAssociationInterceptor and is adding a new interceptor with a new interceptor classname under the security authentication mechanism of LTPA, the new interceptor is not picked up and the default one is used. . This happens because the security.xml file does not contain a unique tag for trustAssociation, it is: <trustAssociation xmi:id="TrustAssociation_1" for both LTPA and ICSF. . This tag needs to be changed to have a unique tag.Local fix Manually edit the security.xml file to change the xmi:id on the trustAssociation tag to something unique (different from TrustAssociation_1) like: <trustAssociation xmi:id="TrustAssociation_2" .Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: Custom trust association interceptor * * classname for LTPA is updated * * incorrectly under ICSF causing the * * default WebSeal interceptor to be * * used for LTPA. * **************************************************************** * RECOMMENDATION: * **************************************************************** When customers try to configure their own trust association interceptor while using Global Security, with the authentication mechanism of LTPA (using the following path via administrative console) Security -> Authentiacation Mechanisms -> LTPA -> Trust Association -> Interceptors -> New -> This fails regardless of what is put into the Interceptor Classname field in the administrative console. The administrative console accepts the new interceptor classname, however the security.xml file still reflects the default trust association interceptor class under the LTPA clause. This default class is: com.ibm.ws.security.web.WebSealTrustAssociationInterceptor This happens because the trustAssociation tags have identical xmi:id values (TrustAssociation_1) for LTPA and ICSF: <trustAssociation xmi:id="TrustAssociation_1". The two xmi:id values should be unique. The following tracepoint is seen in the servant with com.ibm.ws.security.*=all=enabled tracing turned on Trace: 2004/02/25 15:46:03.247 01 t=9E6B60 c=UNK key=P8 (13007002) FunctionName: com.ibm.ws.security.web.TAIWrapper SourceId: com.ibm.ws.security.web.TAIWrapper Category: DEBUG ExtendedMessage: Trust association class name: com.ibm.ws.security.web.WebSealTrustAssociationInterceptor The tags need to be unique.Problem conclusion Dialog skeleton files for security.xml will be updated so that the xmi:id tags are unique. APAR PQ85539 is associated with SERVICE LEVEL W502006 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PQ85539.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ85539
IBM Group: Software Group
Modified date: Feb 28, 2006
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.