Fix (APAR):  PQ62471

Status:  Fix

Release:  4.0.4,4.0.3,4.0.2

Operating System:  All

Supersedes Fixes:  

CMVC Defect:  PQ62471

Byte size of APAR:  1070768

Date: 2003-05-15

Abstract:  Security Admin Roles not getting exported during XML Export and so also the SSO properties.

Description/symptom of problem:  1) Security Admin Roles not getting exported during XML 
   Export.
2) XMLConfig does not include all security functionality of 
   LTPA
   - SSO properties are not getting exported.
3) Enable Web trust association
4) Enable ssl-enabled for LDAP

Directions to apply fix:  
1) Create temporary "fix" directory to store the jar file:
 				AIX: /tmp/WebSphere/fix
   Solaris/Linux: /tmp/WebSphere/fix
 		  Windows: c:\temp\WebSphere\fix

2) Copy jar file to the directory

3) Shutdown WebSphere

4)Create a <WASHOME>/Fix directory if one does not already exist

5) Run the jar file with the following command answering questions/prompts as they appear:
   java -jar <jarfile name> -backupJar <WASHOME>/Fix/<jar file name>_backup.jar

6) Restart WebSphere

7) The temp directory may be removed but the jar file should be saved.  Do not remove
	any files created and stored in the <WASHOME>/Fix directory.
   These files are required if a fix is to be removed.


Directions to remove fix:  
NOTE:  FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED.  DO NOT REMOVE A FIX UNLESS
 		ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED.  YOU MAY REAPPLY ANY REMOVED FIX.

Example:  If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be
			 removed, fix3 must be removed first, fix2 removed, and fix3 re-applied.


1) Change directory to the fix location (<WASHOME>/Fix).

2) Shutdown WebSphere

3) Run the backup jar file with the following command:
	java -jar <backup_fix#>

4) Restart WebSphere


Directions to re-apply fix:  
Follow the instructions for applying a fix.

If the backup files still exist (from the previous fix application), you will be prompted to overwrite.

Answer "yes" at the overwrite prompts.

Additional Information:  Example: A sample template for XMLConfig export of security center would now look like:


<security-config security-cache-timeout="600" security-enabled="false">
        <app-security-defaults>
            <realm-name>Default</realm-name>
            <challenge-type ssl-enabled="false">
                <basic-challenge/>
            </challenge-type>
        </app-security-defaults>
        <auth-mechanism>
            <ltpa-config>
                <ltpa-password>{xor}LD49MDU2</ltpa-password>
                <ltpa-timeout>7200000</ltpa-timeout>
                <sso-enabled ssl-enabled="false">
                    <domain-name/>

                    <!--
                        If action ="import" then below mentioned sso table will be imported, otherwise generateKeys will be invoked.
                        Supported actions are import|export|generate
                    -->

                    <sso-properties action="import">
                        <property name="com.ibm.websphere.CreationDate" value="Tue Jun 25 17:15:19 EDT 2002"/>
                        <property name="com.ibm.websphere.ltpa.PublicKey" value="AMFK36Hg9GyGhmpw4eNz1q1wN8KwaiEafdjalF+h/yXC9VKV2cGgVXe1Md61l8M8/exDlRIxdGq8tMfIo2bGiTY+nB7YP3VotJxJha4tAde8CVIaftI2Uw6Ei1adcboQBfRtmEqOHJWyP1LJAgV9fAeiKC3lJsULcXC560sm1dRBAQAB"/>
                        <property name="com.ibm.websphere.ltpa.version" value="1.0"/>
                        <property name="com.ibm.websphere.ltpa.Realm" value="ORCHIDS"/>
                        <property name="com.ibm.websphere.ltpa.PrivateKey" value="jslfhNipCRMljil/68lkzkI0Rl2CzS078uVMYVIouHHYNuCpIlBW6ZqgOsf23P8KcXriyv178VHQJLnmBpLYerZR00otLzdBwiHQgXp7AuyUgKaot3cXJginoVN9QZWLdYHOUlZNK9CcbYtY1LfgFE6hzEVqEedUnXPkXMsQQ4bfjzihKP1D+5IRxCvVS2393KPd8ItQZCGOzhvZM+frVc4+DR0byKfIG8JOemFbea8QgUwIUxnUJdI67xSZVJ3ehc+fnqIEaEiiu8ZVB01izYo7qlX1wWPtkngzk6JKXicZFDOSaCZ2nFFdHkjCR4CWE2pCyb8jW4O89ep9aH28pvU5zk0thYw8zvzGTjNKSDM="/>
                        <property name="com.ibm.websphere.CreationHost" value="orchids"/>
                        <property name="com.ibm.websphere.ltpa.3DESKey" value="CMmF20jxm/sfDqmTbqkHvl/zLWRlXw1jCGP2IxP2a0Q="/>
                    </sso-properties>
                </sso-enabled>
                <web-trust-association enable-WTA="true"/>
                <ldap-config type="netscape">
                    <user-id/>
                    <password>{xor}</password>
                    <ldap-host/>
                    <ldap-basedn/>
                </ldap-config>
            </ltpa-config>
        </auth-mechanism>
        <ssl-config>
            <key-file-name>${WAS_HOME}/etc/DummyServerKeyFile.jks</key-file-name>
            <key-file-password>{xor}CDo9Hgw=</key-file-password>
            <key-file-format>0</key-file-format>
            <client-authentication>false</client-authentication>
            <security-level>0</security-level>
            <crypto-hardware-enabled>false</crypto-hardware-enabled>
            <crypto-library-file/>
            <crypto-password>{xor}</crypto-password>
            <crypto-token-type/>
            <trust-file-name>${WAS_HOME}/etc/DummyServerTrustFile.jks</trust-file-name>
            <trust-file-password>{xor}CDo9Hgw=</trust-file-password>
            <property name="com.ibm.ssl.protocol" value="SSLv3"/>
        </ssl-config>
        <admin-roles>
            <authorization-table>
                <role name="AdminRole">
                    <description>An administrator role.</description>
                    <user access_id="user:ORCHIDS/S-1-5-21-1229272821-1708537768-839522115-1003" name="ORCHIDS\nobody"/>
                </role>
                <role name="CosNamingRead">
                    <description>Permitted to perform CosNaming read operations</description>
                    <everyone name="Everyone"/>
                </role>
                <role name="CosNamingWrite">
                    <description>Permitted to perform CosNaming write operations</description>
                    <everyone name="Everyone"/>
                </role>
                <role name="CosNamingCreate">
                    <description>Permitted to perform CosNaming create operations</description>
                    <everyone name="Everyone"/>
                </role>
                <role name="CosNamingDelete">
                    <description>Permitted to perform CosNaming delete operations</description>
                    <everyone name="Everyone"/>
                </role>
            </authorization-table>
        </admin-roles>
    </security-config>