PK46513: PK38114 - USER REGISTRY CHECK BEING INVOKED FROM LOGIN MODULES FROM A PROPAGATION LOGIN IN THE SERVANT REGION

 Fixes are available

6.1.0.15 WebSphere Application Server V6.1 Fix Pack 15 for i5/OS
6.1.0.13 WebSphere Application Server V6.1 Fix Pack 13 for AIX
6.1.0.15 WebSphere Application Server V6.1 Fix Pack 15 for AIX
6.1.0.15: WebSphere Application Server V6.1 Fix Pack 15 for HP-UX
6.1.0.15: WebSphere Application Server V6.1 Fix Pack 15 for Windows
6.1.0.13: WebSphere Application Server V6.1 Fix Pack 13 for Windows
6.1.0.17 WebSphere Application Server V6.1 Fix Pack 17 for i5/OS
6.1.0.13: WebSphere Application Server V6.1 Fix Pack 13 for i5/OS
6.1.0.13: WebSphere Application Server V6.1 Fix Pack 13 for HP-UX
6.1.0.17: WebSphere Application Server V6.1 Fix Pack 17 for Linux
6.1.0.17: WebSphere Application Server V6.1 Fix Pack 17 for Solaris
6.1.0.17: WebSphere Application Server V6.1 Fix Pack 17 for HP-UX
6.1.0.17: WebSphere Application Server V6.1 Fix Pack 17 for Windows
6.1.0.17 WebSphere Application Server V6.1 Fix Pack 17 for AIX
6.1.0.13: WebSphere Application Server V6.1 Fix Pack 13 for Solaris
6.1.0.15: WebSphere Application Server V6.1 Fix Pack 15 for Linux
6.1.0.15: WebSphere Application Server V6.1 Fix Pack 15 for Solaris
6.1.0.11: WebSphere Application Server V6.1 Fix Pack 11 for HP-UX
6.1.0.11: WebSphere Application Server V6.1 Fix Pack 11 for Windows
6.1.0.11: WebSphere Application Server V6.1 Fix Pack 11 for Solaris
6.1.0.11: WebSphere Application Server V6.1 Fix Pack 11 for Linux
6.1.0.11: WebSphere Application Server V6.1 Fix Pack 11 for i5/OS
6.1.0.11 WebSphere Application Server V6.1 Fix Pack 11 for AIX
6.1.0.13: WebSphere Application Server V6.1 Fix Pack 13 for Linux
6.1.0.19 WebSphere Application Server V6.1 Fix Pack 19 for AIX
6.1.0.19: WebSphere Application Server V6.1 Fix Pack 19 for HP-UX
6.1.0.19 WebSphere Application Server V6.1 Fix Pack 19 for i5/OS
6.1.0.19: WebSphere Application Server V6.1 Fix Pack 19 for Linux
6.1.0.19: WebSphere Application Server V6.1 Fix Pack 19 for Solaris
6.1.0.19: WebSphere Application Server V6.1 Fix Pack 19 for Windows
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server



APAR status
Closed as program error.

Error description
APAR 
PK38114 did not fully resolve this issue in 6.1.0.8. This
APAR intends to complete the fix for the User registry check
problem.

When a RMI/IIOP client is authenticating with WebSphere using
CSI to invoke an application, a propagation Login in the Servant
region may incorrectly invoke a user registry check.

Because this is a propagation Login, the following method will
return false for any Custom Login Module:
((WSTokenHolderCallback)callbacks[ 0 ]).getRequiresLogin().
During this Login, any WebSphere Login Modules, for example,
ltpaLoginModule incorrectly will try to authenticate the user
again using the user registry. Since an initial Login has
already been performed, WebSphere should not invoke a user
registry check again.

Without this fix, a security trace will show that for this
Servant region Login, the following information is available :

<cut>
ExtendedMessage: uid = <the userid>
ExtendedMessage: realm = <the realm>
ExtendedMessage: password = XXXXXXXX
ExtendedMessage: cred token = <null>
ExtendedMessage: X509 cert chain = null
ExtendedMessage: authz token list =XXXXXXX;XXXXXXX;XXXXXXX;(and
so on)
</cut>

Having the above combination of information available during the
Login causes the LoginModule to invoke a user registry check
again.

Some customer may not actually have the user in the user
registry, in those cases, they will see errors similar to the
following :

<cut>
Trace: 2007/01/03 12:40:29.077 01 t=6C87B8 c=0.C key=P8
(13007002)
ThreadId: 00000044
FunctionName: loginImpl
SourceId: com.ibm.websphere.wim.exception
Category: SEVERE
ExtendedMessage:
com.ibm.websphere.wim.exception.PasswordCheckFailedException:
CWWIM4537E
No principal is found from the '<user name>' principal name.
</cut>
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V6.1 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: A custom login module was being used,   *
*                      that added the WSCredentials UniqueID   *
*                      and UserID to the subjects Public       *
*                      credentials, to bypass the user         *
*                      registry check. However, the user       *
*                      registry check was being invoked, and   *
*                      the folowing message issued:            *
*                      CWWIM4537E No principal is found from   *
*                      the 'superuser' principal name. A code  *
*                      change resulted in the credentials      *
*                      being improperly set.                   *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Credentials were not being properly set in CSIServerRIBase
class.
Problem conclusion
The CSIServerRIBase class was changed to look for and save the
clients authentication token and credentials at the end of
authentication in the finishSessionProcessingForFilter method.

APAR PK46513 is currently targeted for inclusion in Service
Level (Fix Pack) 6.1.0.10 of WebSphere Application Server V6.1
for z/OS.
Temporary fix Comments
APAR information
APAR number PK46513
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 610
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2007-06-06
Closed date 2007-07-03
Last modified date 2007-08-03

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:
UK26893

Modules/Macros
CSISERVE RRIBASE        

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSN    UP
R601 PSN    UP
R610 PSY UK26893    UP07/07/17 P F707

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PK46513.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 610
Software edition:
Reference #: PK46513
IBM Group: Software Group
Modified date: Aug 3, 2007