eFix (APAR): PQ60658 Status: testfix Release: WebSphere 3.5.4, 3.5.5 Supersedes eFixes: PQ53953 CMVC defect: PQ60658 Byte size of APAR: 26,179 Date: 05/02/2002 Abstract: WASSEC - WEBSPHERE SECURITY ENABLES DEREFALIASES CAUSING PERFORMANCE DEGRADATION Directions to apply efix: 1) Create "efix" directory to store the efix jar file(s): AIX: /usr/WebSphere/AppServer/efix Solaris/Linux: /opt/WebSphere/AppServer/efix Windows: c:\WebSphere\AppServer\efix 2) Copy PQ60658-3.5.5-3.5.4-test.jar to the directory 3) Add the directory/jar file to the beginning of the admin server's classpath in admin.config: com.ibm.ejs.sm.adminserver.classpath=C:/WebSphere/AppServer/efix/PQ60658-3.5.5-3.5.4-test.jar... 4) Stop and restart the Admin Server Additional Information: This is a cumulative efix with the following fixes: APAR: PQ51744 What is fixed: 1) Allow user to configure an LDAP search operation time out, the maximum time to wait for results from server. 2) Allow user to use ldap server clusters. Before this fix, WebSphere only works with single LDAP server. How to implement the fix: 1) IBM JNDI default time out is 5 minutes, which means the maximum time to wait for results from ldap server is 5 minutes. With this fix, you can change time out limit to a desired value in milliseconds by adding property jndi_ldap_timeout to admin.config. The following statement change default time to 60 seconds jndi_ldap_timeout=60000 2) WebSphere security maintains and reuse the same InitialDirContext(thus the same connection to LDAP server) for all search operations, which might not work with ldap cluster. If ldap servers are clusters, routers are sitting between JNDI and ldap server, and jndi does not have control ldap server, so the context should be changed. If you use ldap clusters, you are required to create new InitialDirContext(thus open new connection to ldap server) for each search operation. To open new connection for each operation, add property jndi_ldap_new_connection_flag=true to admin.config. This property is defaulted to false, i.e., a single ldap server is assumed. jndi_ldap_new_connection_flag=true 3) After modify the admin.config, apply the jar file PQ51744-353.jar to class path, and restart admin server. APAR: PQ52698 & PQ53935 What is fixed: Unnecessary calls to LDAP were removed and queries for getting the groups a user belongs to were optimized to return only necessary data. This greatly increases authentication performance in certain circumstances. APAR: PQ51768 What is fixed: An LDAP server is configured with WAS security, but the LDAP server contains users with distinguished names with spaces appended to the name. WAS security doesn't interpret this trailing embedded space correctly causing authorization failure when trying to access secured resources. APAR: PQ51924 APAR: PQ48364 APAR: PQ60658 System properties begining with "java.naming." or "com.ibm.jndi." are automatically used in creating initial directory contexts which can be used to disable LDAP alias dereferencing as well as othe properties. What is fixed: WEBSPHERE performance issue using MS Active Directory as LDAP server How to configure: - Start AdminClient - Go to set Global Security Wizard - Click on User Registry - Click Advanced - In 'Group Member ID Map' field, add ;objectCategory:group to the end. The field should looks like: group:member;objectCategory:member ------------------------------------------------------------------