APAR PQ38662 for V3.02.1 

Description: This APAR contains the latest security fixes.

The following defects are fixed in this APAR:
76516  Client credential delegation does not work with LTPA

72322  LTPA authentication should fail when the search for the user DN fails in the directory.  Previous behavior would allow authentication to succeed but subsequent authorization would fail.

77121  LTPA authentication could succeed if no password was supplied.  This error occured if the directory was configured to allow anonymous bind.

77636  LTPA Authentication should succeed even if group lookup for the user fails

77688  When authenticating using a DN, DNs should be normalized by removing extra spaces

77768  Single Sign On was not honoring the setting to only flow the cookie if SSL is enabled

75570  Performance: Security WebSphere resources should be handled by app server and should not make an extra hop to admin server

72394  If the RunAs mode is set to be SPECIFIED_IDENTITY, then the delegation will not take effect without this fix.

78387 getRemoteUser returns a value with a leading "/" and this behavior is fixed.

72436  Secondary BeanCache not cleared during sweep

78925  Performance:  Credential Cache not working properly

78774  Authorization failure for EJB when stress is immediately applied (BeanCache problem)

74981 After logging in using the userid and password during custom login process, user gets a page containing security exception trace.

78769 getWebAttributes method call executed under a non-privileged identity resulting in authorization exceptions

78776  OutOfMemoryError on long run with security enabled

80169  Exact DN certificate mapping mode authorization failures

***********************************************************************************************
How to apply on Solaris (needs to be modifed slightly for other platforms).

This needs to be added to the front of the classpath in the following files:  (Assumes security0526.jar has been copied to /opt/WebSphere/Appserver/lib)

startupServer.sh
==============
change:
CLASSPATH=$DB_CLASSPATH:$WAS_HOME/lib/ibmwebas.jar
to:
CLASSPATH=$WAS_HOME/lib/security0526.jar:$DB_CLASSPATH:$WAS_HOME/lib/ibmwebas.jar

admin.config
===========
change:
com.ibm.ejs.sm.adminserver.classpath=/opt/WebSphere/AppServer/lib/ibmwebas.jar: .... <bunch more stuff here>
to:
com.ibm.ejs.sm.adminserver.classpath=/opt/WebSphere/AppServer/lib/security0526.jar:/opt/WebSphere/AppServer/lib/ibmwebas.jar: .... <bunch more stuff here>

adminclient.sh
============
change:
WAS_CP=$WAS_HOME/lib/ibmwebas.jar
to:
WAS_CP=$WAS_HOME/lib/security0526.jar:$WAS_HOME/lib/ibmwebas.jar

debug/adminserver.sh (optional, required if you are running adminserver.sh)
===================
change:
WAS_CP=$WAS_HOME/lib/ibmwebas.jar
to:
WAS_CP=$WAS_HOME/lib/security0526.jar:$WAS_HOME/lib/ibmwebas.jar