PK46513: PK38114 - USER REGISTRY CHECK BEING INVOKED FROM LOGIN MODULES FROM A PROPAGATION LOGIN IN THE SERVANT REGION | |||||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description APAR PK38114 did not fully resolve this issue in 6.1.0.8. This APAR intends to complete the fix for the User registry check problem. When a RMI/IIOP client is authenticating with WebSphere using CSI to invoke an application, a propagation Login in the Servant region may incorrectly invoke a user registry check. Because this is a propagation Login, the following method will return false for any Custom Login Module: ((WSTokenHolderCallback)callbacks[ 0 ]).getRequiresLogin(). During this Login, any WebSphere Login Modules, for example, ltpaLoginModule incorrectly will try to authenticate the user again using the user registry. Since an initial Login has already been performed, WebSphere should not invoke a user registry check again. Without this fix, a security trace will show that for this Servant region Login, the following information is available : <cut> ExtendedMessage: uid = <the userid> ExtendedMessage: realm = <the realm> ExtendedMessage: password = XXXXXXXX ExtendedMessage: cred token = <null> ExtendedMessage: X509 cert chain = null ExtendedMessage: authz token list =XXXXXXX;XXXXXXX;XXXXXXX;(and so on) </cut> Having the above combination of information available during the Login causes the LoginModule to invoke a user registry check again. Some customer may not actually have the user in the user registry, in those cases, they will see errors similar to the following : <cut> Trace: 2007/01/03 12:40:29.077 01 t=6C87B8 c=0.C key=P8 (13007002) ThreadId: 00000044 FunctionName: loginImpl SourceId: com.ibm.websphere.wim.exception Category: SEVERE ExtendedMessage: com.ibm.websphere.wim.exception.PasswordCheckFailedException: CWWIM4537E No principal is found from the '<user name>' principal name. </cut>Local fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V6.1 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: A custom login module was being used, * * that added the WSCredentials UniqueID * * and UserID to the subjects Public * * credentials, to bypass the user * * registry check. However, the user * * registry check was being invoked, and * * the folowing message issued: * * CWWIM4537E No principal is found from * * the 'superuser' principal name. A code * * change resulted in the credentials * * being improperly set. * **************************************************************** * RECOMMENDATION: * **************************************************************** Credentials were not being properly set in CSIServerRIBase class.Problem conclusion The CSIServerRIBase class was changed to look for and save the clients authentication token and credentials at the end of authentication in the finishSessionProcessingForFilter method. APAR PK46513 is currently targeted for inclusion in Service Level (Fix Pack) 6.1.0.10 of WebSphere Application Server V6.1 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: UK26893 Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PK46513.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 610
Software edition:
Reference #: PK46513
IBM Group: Software Group
Modified date: Aug 3, 2007
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.