Fix (APAR):  PK59474

Status:  Fix

Release:  6.1.0.9,6.1.0.7,6.1.0.5,6.1.0.3,6.1.0.13,6.1.0.11,6.1.0.1

Operating System:  AIX,HP-UX,i5/OS,Linux,Linux pSeries,Linux zSeries,OS/400,Solaris,Windows

Supersedes Fixes:  

CMVC Defect:  PK59474

Byte size of APAR:  19677

Date: 2008-02-13

Abstract:  SSL proxy connect tunneling does not use correct target host and port

Description/symptom of problem:  
PK59474 resolves the following problem:

6.1.0.15-WS-WAS-IFPK59474.pak installs on 6.1.0.1 - 6.1.0.15
6.1.0.13-WS-WAS-IFPK59474.pak installs on 6.1.0.1 - 6.1.0.13

ERROR DESCRIPTION:                                              
A Web Service calls an external service to logon.  The login    
service returns a session ID and URL. This always works.        
These two parameters along with a Query are used to make a      
second Web Service call to the external service to get an       
account ID. This call works the first time and fails subsequent 
times at the customer location with the following exception:    
                                                                
----------------------------------------------------------------
[1/14/08 15:46:27:875 EST] 00000054 ExceptionUtil E   CNTR0020E:
EJB threw an unexpected (non-declared) exception during         
invocation of method                                            
"transactionNotSupportedActivitySessionNotSupported" on bean    
"BeanId(AccountMediationApp#AccountMediationEJB.jar#Module,     
null)". Exception data:                                         
com.ibm.websphere.sca.ServiceRuntimeException: <soapenv:Body    
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"       
xmlns:xsd="http://www.w3.org/2001/XMLSchema"                    
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">          
  <soapenv:Fault><faultcode                                     
xmlns:p354="urn:fault.enterprise.soap.sforce.com">p354:UNKNOWN_E
XCEPTION</faultcode><faultstring>UNKNOWN_EXCEPTION: Destination 
URL not reset. The URL returned from login must be set in the   
SforceService</faultstring><detail encodingStyle=""><sf:fault   
xsi:type="sf:UnexpectedErrorFault"                              
xmlns:sf="urn:fault.enterprise.soap.sforce.com">                
     <sf:exceptionCode>UNKNOWN_EXCEPTION</sf:exceptionCode>     
     <sf:exceptionMessage>Destination URL not reset. The URL    
returned from login must be set in the                          
SforceService</sf:exceptionMessage>                             
    </sf:fault></detail></soapenv:Fault>                        
 </soapenv:Body>                                                
 at                                                             
com.ibm.wsspi.sca.webservice.jaxrpc.ServiceImportHandler.handleF
ault(ServiceImportHandler.java:313)                             
 at                                                             
com.ibm.ws.webservices.engine.handlers.jaxrpc.HandlerProxy.handl
eFault(HandlerProxy.java:159)                                   
 at                                                             
com.ibm.ws.webservices.engine.handlers.jaxrpc.JAXRPCHandlerChain
.oneHandleFault(JAXRPCHandlerChain.java:869)                    
 at                                                             
com.ibm.ws.webservices.engine.handlers.jaxrpc.JAXRPCHandlerChain
.handleFault(JAXRPCHandlerChain.java:846)                       
...                                                             
...                                                             
----------------------------------------------------------------

LOCAL FIX:                                                      
One way to make it work:                                        
----------------------------------------------------------------
The customer is successfully running their application using the
JVM property                                                    
"com.ibm.websphere.webservices.http.connectionKeepAlive" set to 
false                                                           
--------------------------------------------------------------- 

PROBLEM SUMMARY

USERS AFFECTED:
IBM WebSphere Application Server version
6.1 users of web services

PROBLEM DESCRIPTION:
SSL proxy connect tunneling does not
use correct target host and port

RECOMMENDATION:
None

A Web Service calls an external service to logon.  The login
service returns a session ID and URL. This always works.
These two parameters along with a Query are used to make a
second Web Service call to the external service to get an
account ID. This call works the first time and fails subsequent
times at the customer location with the following exception:

----------------------------------------------------------------

[1/14/08 15:46:27:875 EST] 00000054 ExceptionUtil E   CNTR0020E:

EJB threw an unexpected (non-declared) exception during
invocation of method
"transactionNotSupportedActivitySessionNotSupported" on bean
"BeanId(AccountMediationApp#AccountMediationEJB.jar#Module,
null)". Exception data:
com.ibm.websphere.sca.ServiceRuntimeException: <soapenv:Body
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Fault><faultcode
xmlns:p354="urn:fault.enterprise.soap.sforce.com">p354:UNKNOWN_E

XCEPTION</faultcode><faultstring>UNKNOWN_EXCEPTION: Destination
URL not reset. The URL returned from login must be set in the
SforceService</faultstring><detail encodingStyle=""><sf:fault
xsi:type="sf:UnexpectedErrorFault"
xmlns:sf="urn:fault.enterprise.soap.sforce.com">
<sf:exceptionCode>UNKNOWN_EXCEPTION</sf:exceptionCode>
<sf:exceptionMessage>Destination URL not reset. The URL
returned from login must be set in the
SforceService</sf:exceptionMessage>
</sf:fault></detail></soapenv:Fault>
</soapenv:Body>
at
com.ibm.wsspi.sca.webservice.jaxrpc.ServiceImportHandler.handleF

ault(ServiceImportHandler.java:313)
at
com.ibm.ws.webservices.engine.handlers.jaxrpc.HandlerProxy.handl

eFault(HandlerProxy.java:159)
at
com.ibm.ws.webservices.engine.handlers.jaxrpc.JAXRPCHandlerChain

.oneHandleFault(JAXRPCHandlerChain.java:869)
at
com.ibm.ws.webservices.engine.handlers.jaxrpc.JAXRPCHandlerChain

.handleFault(JAXRPCHandlerChain.java:846)

PROBLEM CONCLUSION:                                             
The key here is in how you talk to a forward proxy versus a     
reverse proxy.  The reverse Proxy is the actual target of the   
client request, and then the proxy opens it's own socket        
independently to the backend server.  Thus SSL to a reverse     
proxy has one session between webservices client and the        
proxy, and a separate session from proxy to backend server.     
The Proxy knows about each individual HTTP request from the     
client and routes it appropriately.  The request looks like     
"POST /uri, Host: backend:port".  On the other hand, a forward  
proxy is not the target of the client request.  That bounces    
through the Proxy and out to the target server, with the        
request formatted as "POST http://backend:port/uri, Host:       
proxy".  The key for us is that you cannot do regular SSL to a  
forward proxy.  You must use a CONNECT request to do SSL        
tunneling through the proxy.  The CONNECT tells the Proxy what  
backend server to contact (which is who the SSL handshake is    
made against) and the Proxy has no knowledge of the individual  
requests made.  It simply tunnels data back and forth between   
the client and the backend server.                              
                                                                
Now, for webservices client, if it knows the target is a        
proxy, it will send the forward proxy style request if HTTP,    
but will always use the CONNECT tunneling code if SSL.  The     
critical point is that the SSL tunnel always goes to the first  
target and every HTTP request over the tunnel goes to that      
same target.  The web services engine code has been fixed to    
include the target endpoint host and port when using an SSL     
proxy CONNECT.                                                  
                                                                
The fix for this APAR is currently targeted for inclusion in    
fix pack 6.1.0.17.                                              
Please refer to the recommended updates page for delivery       
information:                                                    
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980   


Directions to apply fix:  
NOTE: Choose the:
1) Release the fix applies to
2) The Editions that apply
3) Delete the Editions & Methods that do not apply and this Note

Fix applies to Editions:
Release 6.0
__ Application Server (Express or BASE)
__ Network Deployment (ND)
__ WebSphere Business Integration Server Foundation (WBISF)
__ Edge Components
__ Developer
__ Extended Deployment (XD)

Install Fix to:
Method:
__ Application Server Nodes
__ Deployment Manager Nodes
__ Both

NOTE:
The user must:
* Have Administrative rights in Windows, or be the Actual Root User in a UNIX environments.
* Logged in with the same authority level when unpacking a fix, fix pack or refresh pack.
* Be at V6.0.2.2 or newer of the Update Installer. This can be checked by reviewing the level of the Update Installer in file <was_root>/updateinstaller/version.txt.

The Update Installer can be downloaded from the following link:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991

For detailed instructions to Extract the Update Installer see the following Technote:
http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg21205400

1) Copy PKxxxxx.pak file directly to the maintenance directory

2) Shutdown WebSphere
Manually execute setupCmdLine.bat in Windows or . ./setupCmdLine.sh in Unix from the WebSphere instance that maintenance is being applied to.

3) Launch Update Installer

4) Enter the installation location of the WebSphere product you want to update.

5) Select the "Install maintenance package" operation.

6) Enter the file name of the maintenance package to install (PKxxxxx.pak file which was copied in the maintenance directory).

7) Install the maintenance package.

8) Restart WebSphere

Directions to remove fix:  
NOTE:
* The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environments.
* FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED
* DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED
* YOU MAY REAPPLY ANY REMOVED FIX

Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied.

1) Shutdown WebSphere
Manually execute setupCmdLine.bat in Windows or . ./setupCmdLine.sh in Unix from the WebSphere instance that uninstall is being run against.

2) Start Update Installer

3) Enter the installation location of the WebSphere product you want to remove the fix.

4) Select  "Uninstall maintenance package" operation.

5) Enter the file name of the maintenance package to uninstall (PKxxxxx.pak).

6) UnInstall maintenance package.

7) Restart WebSphere

Directions to re-apply fix:  
1) Shutdown WebSphere.

2) Follow the Fix instructions to apply the fix.

3) Restart WebSphere.



Additional Information: