Fix (APAR): WAS_Security_03-17-2003_4.0.5-4.0.4-4.0.3_client_cumulative_Fix Status: Fix Release: 4.0.5,4.0.4,4.0.3 Operating System: All Supersedes Fixes: PQ61779, PQ62538, PQ62684, PQ63116, PQ63574 WAS_Security_09-13-2002_4.0.4-4.0.3_client_cumulative_eFix WAS_Security_10-07-2002_4.0.4-4.0.3_client_cumulative_eFix WAS_Security_10-31-2002_4.0.4-4.0.3_client_cumulative_eFix, WAS_Security_11-19-2002_4.0.4-4.0.3-4.0.2_client_cumulative_eFix an WAS_Security_01-06-2003_4.0.5-4.0.4_client_cumulative_eFi as well as any eFixes for APARs listed below CMVC Defect: See APAR list below Byte size of APAR: 1361075 Date: 03/20/2003 Abstract: Security cumulative fix. Description/symptom of problem: See APAR list below Directions to apply fix: 1) Create temporary "efix" directory to store the jar file AIX: /tmp/WebSphere/efi Solaris/Linux: /tmp/WebSphere/efi Windows: c:\temp\WebSphere\efi 2) Copy jar file to the director 3) Shutdown WebSphere 4) Run the jar file with the following command answering questions/prompts as they appear java -jar 5) Restart WebSphere 6) The temp directory may be removed but the jar file should be saved. Do not remove any files created and stored in the /WebSphere/AppServer/efix/ directories These files are required if an efix is to be removed Directions to remove fix: NOTE: EFIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED. DO NOT REMOVE AN EFIX UNLES ALL EFIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED. YOU MAY REAPPLY ANY REMOVED EFIX Example: If your system has efix1, efix2, and efix3 applied in that order and efix2 is to b removed, efix3 must be removed first, efix2 removed, and efix3 re-applied 1) Change directory to the efix location (/WebSphere/AppServer/efix/) 2) Shutdown WebSphere 3) Run the backup jar file with the following command java -jar 4) Restart WebSphere Directions to re-apply fix: Follow the instructions for applying an efix. If the backup files still exist (from the previous efix application), you will be prompted to overwrite. Answer "yes" at the overwrite prompts Additional Information: ----------------------------------------------------------------- The administration server and all application servers and clients which use the Websphere installation directory must be stopped for proper application of this eFix. Included APARS APAR: PQ56218 Version: 400 Abstract: PMI DOES NOT RECOVER WHEN WEBSPHERE APP SERVER IS RESTARTED WHE SECURITY ENABLE Error Description: ** Brief Description: Customer has a java PMI clien (Performance Monitoring Infrastructure)programmin interface provided by IBM. -- It logs int WAS fine the first time but when you stop and restart WA with security on it does not log back in. Getting erro Cannot create PmiService bean obj; nested exception is java.rmi.RemoteException: CORBA INTERNAL 0 N Local Fix: non Logically Dependent Apars: Users Affected: All WebSphere Application Server users whichhave enabled securi y Problem Description: Java clients fail to log into WebSphereApplication Server afte the server is restarted with security enabled Recommendation: Problem Summary: After the Java client logged into the WebSphere Applicatio Server, if the server restarts for any reason, then the Jav Client cannot login again with security enabled. The clien will get the java.rmi.RemoteException: CORBA INTERNAL Problem Conclusion: When the client receives a request reject message, the clien now checks the credential associated with the request. If th credential is a dummy credential, then the client trie to re-establish the secure association with the server again Test Comments: Circumvention: Temporary Fix: PQ56218_eFix_AEServer.ja Comments: APAR: PQ58764 Version: 400 Abstract: CORBA EXCEPTION ERRO Error Description: The customer stated when java client his the applicatio server he is getting the following error into th client stdout file: CORBA exception errors... faile mutual authentication handshake... session does not exis in the session table. He also noticed jsa150e-unable t find session in the session table errors. De ect 12042 Local Fix: No fix or workaround available yet Logically Dependent Apars: Users Affected: All WebSphere Application Server users whichhave enabled securi y Problem Description: CORBA exception errors with failed mutual authentication me sag Recommendation: Problem Summary: Client gets CORBA exception errors, failed mutua authentication handshake after 45 minutes of attempting t complete the request. The following CORBA exception occurs "org.omg.CORBA.NO_PERMISSION: Failed mutual authenticatio handshake. Session does not exist in the session table. Problem Conclusion: The server now passes back the security context alon with the exception, so the client can react accordingly Test Comments: Circumvention: Temporary Fix: PQ58764_401_test.ja Comments: APAR: PQ63116 Version: 400 Abstract: PROBLEM: WHEN THE ADMINISTRATION SERVER IS STOPPED AN RESTARTED, VARIOUS CLIENTS GET AUTHENTICATION ERRORS Error Description: Problem: When the administration server is stopped an restarted, WebSphere SeriousEvent, PMI, and WSCP clients ge Authentication errors Information specific to WAS 4.0.2: This was working fine wit eFix PQ56218. When later cumulative eFix PQ62538 was applied this is broken Local Fix: none Logically Dependent Apars: Users Affected: WebSphere Application Server users wit security enable Problem Description: When the administration server i stopped and restarted, WebSpher clients get authentication errors Recommendation: Problem Summary: In the scenario where clients make a persistent connection wit the server, clients get Authentication errors when th administration server is restarted without restarting th clients Following exception will occur Exception stack trace: javax.naming.NoPermissionException NO_PERMISSION exception caught Root exception is org.omg.CORBA.NO_PERMISSION com.ibm.CORBA.iiop.ExceptionInterceptorsCalle minor code: 0 completed: Mayb Problem Conclusion: Both the client and the server exception handling mechanism i improved to handle the broken connections between the clien and the server Test Comments: Circumvention: Temporary Fix: PQ63116_eFix.ja Comments: APAR: PQ69188 Version: 400 Abstract: UNEXPECTED LOGIN PROMPT WHEN CLICKING ON ADMIN CONSOLE Error Description: We set the Security timeout to 300 and the LTPA token timeou to 10mn When the LTPA Token timeout expired, a popup window i displayed asking us to login again and a message is sent in th tracefile in order to warn us that the credential have expired We expected this behaviour and we were happy Then we entered the userid/password, we hit "enter". It seem that we are logged in Then we click on the console and we saw a new popup windo asking u to login again, but this time without any messages in th tracefile We entered the userid/password and we were able to go throug th websphere topology inside the console We don't think that prompting the second time when clickin on the console is correct Steps taken - wait 10m - popup windo - Login/password (msg in tracefile) and hit ente - hit somewhere in the console and you got a second popu windo - Login/password (no msg in tracefile) and hit ente - wait 10m - popup windo - Login/password (msg in tracefile) and hit ente - wait 10m - popup windo - Login/password (msg in tracefile) and hit ente By "message in tracefile", we mean JSAS0435E and CNTR0019 messages are generated Local Fix: No workaround is known at this time Logically Dependent Apars: Users Affected: All WebSphere Application Server users who have enabled securi y and use the Administration Console with th Authentication Mechanism set to LTPA Problem Description: Admin Console displays unexpected login prompt after login Recommendation: Problem Summary: When the LTPA Token timeout expired, a login window i displayed to login again and a message is sent in th tracefile in order to warn that the credential have expired After username and password is entered, the console appear to be logged in. However, when the console is clicked agai to access resources, another login windows is displayed Problem Conclusion: This is caused by the expired credential not being cleane properly. The expired credential is now being removed afte expiration Test Comments: Circumvention: Temporary Fix: avaliabl Comments: