Fix (APAR): PK77465 Status: Fix Product: WAS Release: 6.1.0.19, 6.1.0.23, 7.0.0.1, 7.0.0.3 Operating System: All operating systems Supersedes Fixes: Pre-requisite Fixes: Exclusive-requisite Fixes: CMVC Defect: PK77465 Byte size of APAR: 6.1.0.19-WS-WAS-IFPK77465.zip 72,714 6.1.0.23-WS-WAS-IFPK77465.zip 75,201 7.0.0.1-WS-WAS-IPK77465.pak 47.380 7.0.0.3-WS-WAS-IPK77465.pak 47,347 Date: 6.1.0.19 2009-02-19 6.1.0.23 2009-08-23 7.0.0.1 2009-04-06 7.0.0.3 2009-06-16 Abstract: Setting the WebContainer custom properly disablesecuritypreinvokeonfilters may cause a security risk. Description/symptom of problem: PK77465 resolves the following problem: ERROR DESCRIPTION: Setting the WebContainer custom property disablesecuritypreinvokeonfilters may result in Sign-on not being required for a secure URL. The custom property is required by some customers who use Single Sign-on (SSO) with SPNEGO. LOCAL FIX: None. PROBLEM SUMMARY USERS AFFECTED: IBM WebSphere Application Server Version 6.1 and 7.0 Users of Single Sign-on (SSO) with SPNEGO. PROBLEM DESCRIPTION: RECOMMENDATION: None The WebContainer custom property was introduced by PK42868 to prevent a problem in which a SPNEGO TAI was called twice for the same request. However setting the property may result in Sign-on not being required for a secure URL. PROBLEM CONCLUSION: The WebContainer custom property has been removed and the WebContainer has been updated to ensure that a SPENGO TAI is called once for each request. The fix for this APAR is currently targeted for inclusion in fixpacks 6.1.0.25 and 7.0.0.5. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980 Directions to apply the fix to release 7.0: Fix applies to Editions: Release: 7.0 X__ Application Server (Express or Base) X__ Network Deployment (ND) ___ WebSphere Business Integration Server Foundation (WBISF) ___ Edge Components ___ Developer ___ Extended Deployment (XD) Install Fix To: Method: __ Application Server Nodes __ Deployment Manager Nodes X_ Both NOTE: The user must: * Have Administrative rights in Windows, or be the Actual Root User in a UNIX environment. * Be Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V7.0.0.0 or later of the Update Installer. This can be checked by reviewing the level of the Update Installer in file /updateInstaller/version.txt. However it is highly recommended to use the latest version of Update Installer for IBM WebSphere Application Server Version 7 which can be downnloaded from the link specified below. The update Installer can be downloaded from the following link: http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448 For detailed instructions on how to extract the Update Installer see the following Technote: http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27006162 1) Copy the supplied .pak file directly to the maintenance directory. 2) Shutdown WebSphere. Manually execute setupCmdLine.bat in Windows or ../setupCmdLine.sh in UNIX from the WebSphere instance that maintenance is being applied to. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 3) Launch the Update Installer. 4) Enter the installation location of the WebSphere product you want to update. 5) Select the "Install maintenance package" operation. 6) Enter the file name of the maintenance package to install (the .pak file which was copied into the maintenance directory). 7) Install the maintenance package. 8) Restart WebSphere. Directions to apply fix to release 6.1: Fix applies to Editions: Release: 6.0 6.1 ___ X__ Application Server (Express or Base) ___ X__ Network Deployment (ND) ___ ___ WebSphere Business Integration Server Foundation (WBISF) ___ ___ Edge Components ___ ___ Developer ___ ___ Extended Deployment (XD) Install Fix To: Method: X_ Application Server Nodes __ Deployment Manager Nodes __ Both NOTE: The user must: * Have Administrative rights in Windows, or be the Actual Root User in a UNIX environment. * Be Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V6.1.0.13 or later of the Update Installer. Certain iFixes may require a newer version of the Update Installer and the Update Installer will inform you during the installation Process if a newer version is required. This can be checked by reviewing the level of the Update Installer in file /updateInstaller/version.txt The update Installer can be downloaded from the following link: http://www.ibm.com/support/docview.wss?rs=180&uid=swg24012718 For detailed instructions on how to extract the Update Installer see the following Technote: http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27006162 Please note that there are two different methods for delivering iFixes, depending on the contents. The fix may be delivered either as a single file with a .pak extension (such as 6.1.0.11-WS-WAS-IFPK12345.pak) or a single file with a .zip extension (such as 6.1.0.11-WS-WAS-IFPK12345.zip) which then contains one or more files with a .pak extension. 1) If your iFix is delivered as a single file with a .pak extension, copy the .pak file directly to the maintenance directory. If your iFix idelivered as a single file with a .zip extension, unzip the file into the maintenance directory. 2) Shutdown WebSphere Manually execute setupCmdLine.bat in Windows or ../setupCmdLine.sh in Unix from the WebSphere instance that maintenence is being applied to. 3) Launch Update Installer and click the Next button to the Welcome page. 4) Enter the directory path of the installation location of the WebSphere product you want to update and click the Next button. 5) Select the "Install maintenence package" operation and click the Next button. 6) Enter the directory path of your maintenance directory where you have the maintenance packages (.pak files) and click the Next button. 7) The Available Maintenance Package to Install page should list all maintenance packages (.pak files) tht it finds in the directory path providedin the previous step. The Update Installer will select the correct maintenance packages based on your system configuration and will not allow an invalid combination to be installed. Please keep the Update Installer recommendations and click the Next button and continue with the installation of the maintenance package. 8) Please note that in the future, if a Feature Pack is installed or uninstalled, a different set of iFixes will be needed. Use the Update Installer again at that time, with the maintenance directory location where these maintenance packages are stored, to determine the required interim fixesfor the new WebSphere and Feature pack(s) combination. 9) The maintenance packages could have one of a set of names, and these names will help determine which maintenance package you need to install. The APAR name (PKxxxxx) should appear as part of the filename. Between the APAR number and the .pak extension there will be 0 to 2 characters added. The table below indicates the usage of each of the maintenance packages with respect to which Feature Packs, if any, are installed. -------------------------------------------------------------------------------------- |.pak File Names |No Feature packs|EJB3 Only|WebServices Only| Both | -------------------------------------------------------------------------------------- |6.1.0.x-WS-WAS-IFPK12345 | X | X | X | X | -------------------------------------------------------------------------------------- |6.1.0.x-WS-WAS-IFPK12345C | X | | | | -------------------------------------------------------------------------------------- |6.1.0.x-WS-WAS-IFPK12345CE | | X | X | X | -------------------------------------------------------------------------------------- |6.1.0.x-WS-WAS-IFPK12345W | X | X | | | -------------------------------------------------------------------------------------- |6.1.0.x-WS-WAS-IFPK12345WE | | | X | X | -------------------------------------------------------------------------------------- |6.1.0.x-WS-WAS-IFPK12345E | X | | X | | -------------------------------------------------------------------------------------- |6.1.0.x-WS-WAS-IFPK12345EE | | X | | X | -------------------------------------------------------------------------------------- 10) Restart WebSphere. Directions to remove fix from releases 7.0 and 6.1: NOTE: * The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environment. * FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED. * DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED. * YOU MAY REAPPLY ANY REMOVED FIX. Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied. 1) Shutdown WebSphere. Manually execute setupCmdLine.bat in Windows or ../setupCmdLine.sh in UNIX from the WebSphere instance that uninstall is being run against. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 2) Launch the Update Installer. 3) Enter the installation location of the WebSphere product you want to remove the fix. 4) Select the "Uninstall maintenance package" operation. 5) Enter the file name of the maintenance package to uninstall (e.g.: 6.1.0.x-WS-WAS-IFPK12345.pak). 6) Uninstall the maintenance package. 7) Restart WebSphere. Directions to re-apply fix to releases 6.1 and 7.0: 1) Shutdown WebSphere. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 2) Follow the instructions to apply the fix. 3) Restart WebSphere. Additional Information: