Fix (APAR):  PQ81390

Status:  Fix

Release:  5.1.0

Operating System:  All

Supersedes Fixes:  

CMVC Defect:  181274 183920

Byte size of APAR:  18092

Date: 2003-12-05

Abstract:  Cumulative fix for 5.1

Description/symptom of problem:  This cumulative fix contains the following 2 fixes

1. A security exposure was discovered in the 5.1 release related
to how the LTPA token handles expiration. When the token
gets validated, it gets a new expiration, even if expired.
The reason why we probably didn&apos;t catch this is because the
expiration of the token in the WAS process is handled by the
WSCredential and thus we have seen the token expiring
appropriately on the first server. When a token flows from
one server to another, the token gets a new timeout. So, if
the token was expired before leaving the first server, it
would have been caught and rejected.  Once the token arrives
at the new server, it does get validated to ensure the keys
are correct, but the expiration it gets is a brand new
timestamp.

2. When security trace is enabled nulpointer exception might be
raised.



Directions to apply fix:  

NOTE:  YOU MUST FIRST DOWNLOAD THE UPDATE INSTALLER TOOL IN ORDER TO INSTALL A FIX.
       The Fix Installer can be downloaded from the following link:
       http://www-3.ibm.com/software/webservers/appserv/support/index.html

1) Create temporary "fix" directory to store the jar file:
             UNIX: /tmp/WebSphere/fix
          Windows: c:\temp\WebSphere\fix

2) Copy jar file to the directory

3) Shutdown WebSphere

4) Follow the Fix installation instructions that are packaged with the Fix Installer on how to install the Fix.

5) Restart WebSphere

6) The temp directory may be removed.



Directions to remove fix:  
NOTE:  FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED.  DO NOT REMOVE A FIX UNLESS
     ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED.  YOU MAY REAPPLY ANY REMOVED FIX.

Example:  If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be
          removed, fix3 must be removed first, fix2 removed, and fix3 re-applied.


1) Shutdown WebSphere

2) Follow the instructions that are packaged with the Fix Installer on how to uninstall the Fix.

3) Restart WebSphere



Directions to re-apply fix:  
1) Shutdown WebSphere

2) Follow the Fix instructions that are packaged with the Fix Installer on how to uninstall and reinstall the Fix.

3) Restart WebSphere





Additional Information: