APAR PQ38662 for V3.02.1 Description: This APAR contains the latest security fixes. The following defects are fixed in this APAR: 76516 Client credential delegation does not work with LTPA 72322 LTPA authentication should fail when the search for the user DN fails in the directory. Previous behavior would allow authentication to succeed but subsequent authorization would fail. 77121 LTPA authentication could succeed if no password was supplied. This error occured if the directory was configured to allow anonymous bind. 77636 LTPA Authentication should succeed even if group lookup for the user fails 77688 When authenticating using a DN, DNs should be normalized by removing extra spaces 77768 Single Sign On was not honoring the setting to only flow the cookie if SSL is enabled 75570 Performance: Security WebSphere resources should be handled by app server and should not make an extra hop to admin server 72394 If the RunAs mode is set to be SPECIFIED_IDENTITY, then the delegation will not take effect without this fix. 78387 getRemoteUser returns a value with a leading "/" and this behavior is fixed. 72436 Secondary BeanCache not cleared during sweep 78925 Performance: Credential Cache not working properly 78774 Authorization failure for EJB when stress is immediately applied (BeanCache problem) 74981 After logging in using the userid and password during custom login process, user gets a page containing security exception trace. 78769 getWebAttributes method call executed under a non-privileged identity resulting in authorization exceptions 78776 OutOfMemoryError on long run with security enabled 80169 Exact DN certificate mapping mode authorization failures 82026 Performance enhancement - implementing authentication and validation caches 82026.1 Initializing validation cache in R3.02x 76446 + 81298 redirect user to the refererURL in the case of Custom login. 83735 a full DN specified for the server ID might not be searchable but still be valid (e.g, "cn=root") should be acceptable by WebSphere. 80281 Login and Relogin URL for CustomLogin should either be a "http" or a "https" URL ------------------------------------------------------------------------------------------------------------------------------------ Directions for installation on AIX: This needs to be added to the front of the classpath in the following files: (Assumes security0802.jar has been copied to /usr/WebSphere/Appserver/lib) startupServer.sh ============== change: CLASSPATH=$DB_CLASSPATH:$WAS_HOME/lib/ibmwebas.jar to: CLASSPATH=$WAS_HOME/lib/security0802.jar:$DB_CLASSPATH:$WAS_HOME/lib/ibmwebas.jar admin.config =========== change: com.ibm.ejs.sm.adminserver.classpath=/usr/WebSphere/AppServer/lib/ibmwebas.jar: .... to: com.ibm.ejs.sm.adminserver.classpath=/usr/WebSphere/AppServer/lib/security0802.jar:/usr/WebSphere/AppServer/lib/ibmwebas.jar: .... adminclient.sh ============ change: WAS_CP=$WAS_HOME/lib/ibmwebas.jar to: WAS_CP=$WAS_HOME/lib/security0802.jar:$WAS_HOME/lib/ibmwebas.jar debug/adminserver.sh (optional, required if you are running adminserver.sh) =================== change: WAS_CP=$WAS_HOME/lib/ibmwebas.jar to: WAS_CP=$WAS_HOME/lib/security0802.jar:$WAS_HOME/lib/ibmwebas.jar ------------------------------------------------------------------------------------------------------------------------------------ Directions for installation on Windows NT: This needs to be added to the front of the classpath in the following files: (Assumes security0802.jar has been copied to C:\WebSphere\Appserver\lib) admin.config =========== change: com.ibm.ejs.sm.adminserver.classpath=C:/WebSphere/AppServer/lib/ibmwebas.jar; .... to: com.ibm.ejs.sm.adminserver.classpath=C:/WebSphere/AppServer/lib/security0802.jar;C:/WebSphere/AppServer/lib/ibmwebas.jar: .... adminclient.bat ============= change: set WAS_CP=%WAS_HOME%\lib\ibmwebas.jar to: set WAS_CP=%WAS_HOME%\lib\security0802.jar;%WAS_HOME%\lib\ibmwebas.jar debug/adminserver.bat (optional, required if you are running adminserver.bat) ==================== change: set WAS_CP=%WAS_HOME%\lib\ibmwebas.jar to: set WAS_CP=%WAS_HOME%\lib\security0802.jar;%WAS_HOME%\lib\ibmwebas.jar ------------------------------------------------------------------------------------------------------------------------------------ Directions for installation on Solaris: This needs to be added to the front of the classpath in the following files: (Assumes security0802.jar has been copied to /opt/WebSphere/Appserver/lib) startupServer.sh ============== change: CLASSPATH=$DB_CLASSPATH:$WAS_HOME/lib/ibmwebas.jar to: CLASSPATH=$WAS_HOME/lib/security0802.jar:$DB_CLASSPATH:$WAS_HOME/lib/ibmwebas.jar admin.config =========== change: com.ibm.ejs.sm.adminserver.classpath=/opt/WebSphere/AppServer/lib/ibmwebas.jar: .... to: com.ibm.ejs.sm.adminserver.classpath=/opt/WebSphere/AppServer/lib/security0802.jar:/opt/WebSphere/AppServer/lib/ibmwebas.jar: .... adminclient.sh ============ change: WAS_CP=$WAS_HOME/lib/ibmwebas.jar to: WAS_CP=$WAS_HOME/lib/security0802.jar:$WAS_HOME/lib/ibmwebas.jar debug/adminserver.sh (optional, required if you are running adminserver.sh) =================== change: WAS_CP=$WAS_HOME/lib/ibmwebas.jar to: WAS_CP=$WAS_HOME/lib/security0802.jar:$WAS_HOME/lib/ibmwebas.jar