Fix (APAR): WAS_Security_07-24-2003_5.0.2_cumulative_Fix Status: Fix Release: 5.0.2 Operating System: All Supersedes Fixes: CMVC Defect: See APAR list. Byte size of APAR: 251869 Date: 2003-08-01 Abstract: Security cumulative fix Description/symptom of problem: PQ75491 Benign SECJ4046E occurs in admin console when trying to configure his own JAAS module. Users Affected: WebSphere Application Server users who have enabled security and add a custom JAAS module. Problem Description: Users get SECJ4046E messages whenever the JAAS configuration is updated. Recommendation: Problem Summary: Whenever users update JAAS configuration or add new JAAS login module, "SECJ4046E" is incorrectly displayed. Problem Conclusion: The logic for checking for duplicate JAAS login modules was corrected. PQ75639 Customer wishes to use own HttpServletRequestWrapper, but while calling getPrivateAttributes() it generates a null pointer exce Error Description: Own HttpServletRequestWrapper in websphere 5.01 will throw a nullpointer exception while hitting method getPrivateAttributes() which belongs to com.ibm.ws.security.web.WebCollaborator Users Affected: WebSphere Application server users who have enabled security and use a customized HTTPServletRequestWrapper. Problem Description: NullPointException encountered when accessing protected page if a custom HTTPServletRequestWrapper is in use. Recommendation: Problem Summary: A private HTTPRequest attribute flag is used to detect include and forward requests. This private attribute was not available in the custom HTTPServletRequestWrapper. Problem Conclusion: The flag is now based on a public attribute that is independant of a specific HTTPServletRequestWrapper. PQ75698 With J2 security .sun.net.www.protocol.jms: access denied Error Description: Running Web Services implementation using a service to service link. In other words a client implementation in a server that accesses another web services.Without security this works fine but with Java 2 security turned on the following error occurs. [6/20/03 19:26:28:484 PDT] 740051ef SecurityManag W SECJ0314W: Current Java 2 Security policy reported a potential violation of Java 2 Security Permission. Please refer to Problem Determination Guide for further information.Permission: accessClassInPackage.sun.net.www.protocol.jms : access denied Users Affected: All WebSphere Application Server who have enabled security and are creating URL connections using the Java Message Service ( JMS ) protocol. Problem Description: The following exception is thrown when creating a URL connection: java.security.AccessControlException . Recommendation: Problem Summary: The following exception occurs when creating a URL connection using the JMS protocol when global security is enabled: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.net.www.protocol.jms) at java.security.AccessControlContext.checkPermission (AccessControlContext.java(Compiled Code)) at java.security.AccessController.checkPermission (AccessController.java(Compiled Code)) at java.lang.SecurityManager.checkPermission (SecurityManager.java(Compiled Code)) at com.ibm.ws.security.core.SecurityManager. checkPermission(SecurityManager.java(Compiled Code)) at java.lang.SecurityManager.checkPackageAccess (SecurityManager.java(Compiled Code)) If this permission is granted into the was.policy file of the application the error that occurs is a MalformedURLException. The cause was explicitly setting the java.protocol.handler.pkgs system property, overriding what is already specified for the JMS protocol. Problem Conclusion: The JMS protocol handler package is now appended to the java.protocol.handler.pkgs system property value rather than replacing the property value. PQ75715 FIPS failing if java.security file does not have fips providers Error Description: FIPS failing if java.security file does not have fips providers in the list The java.security should not have to be changed anymore. FIPS enabled security server doen't seem to work unless java.security file is updated. This was suppose to be fixed in 1957.17. We get SSLHandshakeExceptions from the node agent if java.security is not changed. soap.client.props is updated with the appropriate information. Users Affected: All WebSphere Application Server users who are using Federal Information Processing Standard ( FIPS ). Problem Description: FIPS fails if the java.security provider list is not updated. Recommendation: Problem Summary: FIPS fails if the java.security provider list is not updated with FIPS providers. A SSLHandshakeException is thrown from the node agent if this file is not modified. Problem Conclusion: New code was introduced to remove the necessity of updating the java.security file. PQ76432 Synchronization breaks when J2C JAAS authentication alias is added. Error Description: Customer description: We are running Websphere 5.0.1 ND on AIX 5.1. All appservers are clustered and global security is turned on. When we add a J2C JAAS authentication alias it breaks synchronization. Adding the alias updates the security.xml file, which is not being automatically synchronized. If we manually copy the security.xml file out to all nodes and then issue a sync command synchronization is restored. Should this be automatically managed by Websphere? Local Fix: Setting LDAP configuration to "ignore case" avoids the problem. Users Affected: WebSphere Application Server users who have enabled security. Problem Description: Authorization may fail while performing configuration synchronization in network deployment enviornment. Recommendation: Problem Summary: Configuration synchronization fails with the following message: "SECJ0321E: Role based authorization is caller in role failed for security name ..". The cause was Basic Authorization credentials were incorrectly used to perform authorization during synchronization. Problem Conclusion: Synchronization will now only use LTPA credentials. PQ76648 Users see exceptions such as "Exception caught adding IBMJSSEFIPS:" on OS/400 Error Description: When running WAS 5.0.2 on OS/400 platform and when security is e nabled, users might get exceptions such as "Exception caught add ing IBMJSSEFIPS: com.ibm.fips.jsse.IBMJSSEFIPSProvider" Users Affected: WebSphere Application Server users who have enabled security and are using OS/400. Problem Description: When security is enabled, users might see exceptions such as "E xception caught adding IBMJSSEFIPS:" Recommendation: Problem Summary: Messages such as "Exception caught adding IBMJSSEFIPS: com.ibm.fips.jsse.IBMJSSEFIPSProvider" might be encountered. This is due to FIPS module loading when FIPS has not been enabled. Problem Conclusion: FIPSProviders now only load when the useFIPS property is true. PQ76786 Cannot failover to another application server from a Java Client over RMI when com.ibm.CORBA.validateBasicAuth=true When the following sequence is performed, a login exception occurs during step 3 due to the SecurityServer object reference still pointing to WAS server1. 1. Login to WAS server1 as user1/password1 2. Logout from WAS server1 3. Login to WAS server2 as user2/password2 4. Logout from WAS server2 5. Login to WAS server3 as user3/password3 Users Affected: All WebSphere Application Server users with security enabled and trying to log into and out of multiple servers. Problem Description: A login exception occurs during login. Recommendation: Problem Summary: An exception occurs during login when attempting to login to a different server than originally connected to. This is caused by a cached reference to the original server. Problem Conclusion: The code was modified by doing a new InitialContext and lookup of the SecurityServer using a different host and port than previously used after receiving an exception from the old host and port. The new lookup will try to pickup the first host and port used by the application to do the first lookup prior to performing an authentication. Otherwise, the default host and port of localhost:2809 is used. See the following InfoCenter section: Security -> Securing Applications and their environment -> Developing secured applications -> Developing with JAAS to login programmatically. Go to the bullet titled "Naming requirements for programmatic login on a pure Java client" for more details about security server lookup precedence. PQ76788 Java client login popup window is blank or in-active Error Description: To re-produce: 1. Enable the global security and re-start the AppServer. 2. go to \bin and run dunmNameSpace.bat. The cursor is inactive and the entry fields will not accept any text. Local Fix: Press the TAB key and immediatly type in the field. Users Affected: All WebSphere Application Server users running Java clients with security enabled. Problem Description: The login popup window will not accept text. Recommendation: Problem Summary: The login popup window will not accept text when security is enabled for a Java client. This was caused by the field constantly re-displaying. Problem Conclusion: A flag was added in the code to only display the field once. PQ76794 TrustMode is optional, but when not specified, a NullPointerException occurs Error Description: When a web services request is received, a NullPointerException occurs in WSEMFRequestReceiverConfig.init() if trust mode not co nfigured. Users Affected: All WebSphere Application Server 5.0 users who have Web service s with security enabled and have not configured Trust Mode. Problem Description: A NullPointerException is encountered when a Web services reque st is received. Recommendation: Problem Summary: A NullPointerException is encountered when a Web services request is received. The exception occurs because an assumption was made that Trust Mode is configured when it is optional. Problem Conclusion: The code was modified so that the Trust Mode configuration parameter value is now checked for a null value before it is used. PQ76808 Security cannot be enabled on Solaris or HPUX if JDK 1.4.1 Error Description: Security cannot be enabled if the beta JDK 1.4.1 support is used on Solaris or HPUX. Users Affected: All WebSphere Application Server users on HP-UX or Solaris who are attempting to enable security. Problem Description: Security cannot be enabled on HP-UX andSolaris when using Java 1 .4.1. Recommendation: Problem Summary: Security cannot be enabled on HP-UX and Solaris when using Java 1.4.1. The following errors are encountered: [6/23/03 17:03:02:539 CDT] e93999 SSLServerSock E Unable to create server socket [6/23/03 17:03:02:588 CDT] e93999 WebContainer E SRVE0146E: Failed to Start Transport on host , port 9443. The most likely cause is that the port is already in use. Please ensure that no other applications are using this port and restart the server. com.ibm.ws.webcontainer.exception. TransportException: Failed to start transport https: java.io.IOException: java.lang.RuntimeException: Export restriction: SunJSSE only at com.ibm.ws.webcontainer.http.HttpTransport. startTransport(HttpTransport.java:132) at com.ibm.ws.webcontainer.WebContainer.startTransports (WebContainer.java:634) at com.ibm.ws.runtime.component.WebContainerImpl. startTransports(WebContainerImpl.java:319) at com.ibm.ws.runtime.component.WebContainerImpl. vetoableChange(WebContainerImpl.java:343) at java.beans.VetoableChangeSupport.fireVetoableChange (VetoableChangeSupport.java:300) at java.beans.VetoableChangeSupport.fireVetoableChange (VetoableChangeSupport.java:320) at java.beans.VetoableChangeSupport.fireVetoableChange (VetoableChangeSupport.java:217) at com.ibm.ws.runtime.component.ComponentImpl.setState (ComponentImpl.java:95) at com.ibm.ws.runtime.component.ComponentImpl. setStartState(ComponentImpl.java:132) at com.ibm.ws.runtime.component.ApplicationServerImpl. start(ApplicationServerImpl.java:123) at com.ibm.ws.runtime.component.ContainerImpl. startComponents(ContainerImpl.java:543) at com.ibm.ws.runtime.component.ContainerImpl.start (ContainerImpl.java:418) at com.ibm.ws.runtime.component.ServerImpl.start (ServerImpl.java:183) at com.ibm.ws.runtime.WsServer.start(WsServer.java:128) at com.ibm.ws.runtime.WsServer.main(WsServer.java:225) at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at com.ibm.ws.bootstrap.WSLauncher.main (WSLauncher.java:94) Problem Conclusion: The hardcoding of the IBMJCE provider within the internal socket factory code was removed. This allows for the SunJCE provider to be able to plugin to the JDK 1.4.1 server on non-IBM JDK platforms including Solaris and HP-UX. PQ76810 Complete exception information from a user registry is propagated to a Java client by default. Complete exception information from a user registry is propagated to a Java client by default. This should only occur if a property is set. See InfoCenter article at Security -> Securing applications and their environment -> Managing security -> Configuring Java Authentication and Authorization Service login -> Programmatic Login for more information. Users Affected: All WebSphere Application Server users who have enabled security. Problem Description: Detailed login failure exception information is propagated to Java clients. Recommendation: Problem Summary: Detailed login failure exception information is propagated to Java clients. This should not occur by default but only if the following property is set to true: com.ibm.websphere.security.registry.propagateExceptionsToClient Problem Conclusion: Code was changed to properly honor the property value. Directions to apply fix: NOTE: YOU MUST FIRST DOWNLOAD THE UPDATE INSTALLER TOOL IN ORDER TO INSTALL A FIX. The Fix Installer can be downloaded from the following link: http://www-3.ibm.com/software/webservers/appserv/support/index.html 1) Create temporary "fix" directory to store the jar file: UNIX: /tmp/WebSphere/fix Windows: c:\temp\WebSphere\fix 2) Copy jar file to the directory 3) Shutdown WebSphere 4) Follow the Fix installation instructions that are packaged with the Fix Installer on how to install the Fix. 5) Restart WebSphere 6) The temp directory may be removed. Directions to remove fix: NOTE: FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED. DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED. YOU MAY REAPPLY ANY REMOVED FIX. Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied. 1) Shutdown WebSphere 2) Follow the instructions that are packaged with the Fix Installer on how to uninstall the Fix. 3) Restart WebSphere Directions to re-apply fix: 1) Shutdown WebSphere 2) Follow the Fix instructions that are packaged with the Fix Installer on how to uninstall and reinstall the Fix. 3) Restart WebSphere Additional Information: