PQ51442: CORRECT VARIOUS SECURITY PROBLEMS

APAR status
Closed as program error.

Error description
This APAR corrects various security problems with WebSphere
Application Server AE. The following defects will be fixed:
110556.1 - This defect fixes the problem of mismatching
 LTPA keys and LTPA password that can happen when a new
 ltpa-password (different than the existing one) is used
 during XMLConfig import. This fix will generate the LTPA
 keys  everytime an XMLConfig import is done and if the
 element ltpa-password is set in the XMLConfig import file,
 so that the LTPA keys and the LTPA password are in sync.
 These new keys will then need to be propagated to all
 existing WebSphere domains, if any, in order for security
 interoperability to work. This can be done using the export
 and import buttons in the Security Center GUI. Refer to the
 InfoCenter documentation for more information on generating,
 exporting and importing LTPA keys.
 If this fix is not applied and the LTPA password in the
 XMLConfig import file is different than the existing LTPA
 password (if any), the WebSphere Application Server adminServer
will not come up.
110280 - In certain situations during adminServer bringup the
 sas.server.props can be truncated when some security
 exceptions are thrown. This defect fixes this problem.
 When this problem happens the adminServer will not be able
 to come up (it might prompt one to enter user name and
 password mutliple times).
110293 - When security is enabled, a java.lang.OutOfMemory
 exception may occur after a period of time because one of
 the security components is not releasing resources and
 thus eventually consumes all available memory.  The
 symptoms of this problem include, steady increasing memory
 consumption by WebSphere Application servers, followed by
 the OutOfMemory exception, which will cause the application
 server process to terminate.
110671 - NO_PERMISSION not surfacing properly when
 programmatic login with a invalid user ID or invalid password.
 Symptoms are that a programmatic login in a servlet or EJB
 with a invalid user ID or invalid password may fail with a
 null pointer exception instead of the expected NO_PERMISSION
 exception.  This problem was discovered when performing
 interoperability test between WebSphere and Component Broker.
110352 - Invalid used ID appears to pass authentication but
 fails with authorization failure. A client application may
 authenticate to WebSphere with an invalid user ID or password
 and instead of getting a CORBA NO_PERMISSION exception, the
 client will get an authorization exception on the first
 attempt to access a protected resource.  The authorization
 exception will look something like:
 CNTR0019E: Non-application exception occurred while processing
 method create: com.ibm.websphere.csi.CSIException: SECJ0053E:
 Authorization failed for /UNAUTHENTICATED while invoking
 (Home)ejsadmin/homes/ClientAccessHome create:0
 securityName: /UNAUTHENTICATED; accessID: UNAUTHENTICATED is
 not granted any of the required roles: AdminRole
 at com.ibm.ejs.security.SecurityCollaborator.
 performAuthorization(SecurityCollaborator.java:555)
Local fix Problem summary
This APAR corrects various security problems with WAS AE.
The following defects will be fixed.
110556.1 - This defect fixes the problem of mismatching
 LTPA keys and LTPA password that can happen when a new
 ltpa-password (different than the existing one) is used
 during XMLConfig import. This fix will generate the LTPA
 keys  everytime an XMLConfig import is done and if the
 element ltpa-password is set in the XMLConfig import file,
 so that the LTPA keys and the LTPA password are in sync.
 These new keys will then need to be propagated to all
 existing WebSphere domains (if any) in order for security
 interoperability to work. This can be done using the export
 and import buttons in the Security Center GUI. Refer to the
 InfoCenter documentation for more information on generating,
 exporting and importing LTPA keys.
 If this fix is not applied and the LTPA password in the
 XMLConfig import file is different than the existing LTPA
 password (if any), the WAS adminServer will not come up.
.
110280 - In certain situations during adminServer bringup the
 sas.server.props can be truncated when some security
 exceptions are thrown. This defect fixes this problem.
 .
 When this problem happens the adminServer will not be able
 to come up (it might prompt one to enter user name and
 password mutliple times).
110293 - When security is enabled, a java.lang.OutOfMemory
 exception may occur after a period of time because one of
 the security components is not releasing resources and
 thus eventually consumes all available memory.  The
 symptoms of this problem include, steady increasing memory
 the OutOfMemory exception, which will cause the application
 server process to terminate.
.
110671 - NO_PERMISSION not surfacing properly when
 programmatic login with a invalid user ID or invalid password.
 Symptoms are a that a programmatic login in a servlet or EJB
 with a invalid user ID or invalid password may fail with a
 null pointer exception instead of the expected NO_PERMISSION
 exception.  This problem was discovered when performing
 interoperability test between WebSphere and Component Broker.
Also fixes:
110293.1 -- Multi-threaded Java client applications fail when
WLM and security enabled.  Also, you are strongly urged to also
apply e-fix 
PQ51460 which corrects a problem in the container
which is also required for a WLM and security enabled server
to operate properly.  Symptoms at the failing Java client side,
may include the following messages:
---------------------------------------------------------------
   3>  2001-08-03 15:40:13.794 ,  ServerID: -1 ,
 CDRInputMessage.constructor :
      JSAS0208E: Internal error: system exception.
   Take down all the error information and contact support for
   more assistance.
.
   4>  2001-08-03 15:40:13.824 ,  ServerID: -1 ,
 SecureAssociationInterceptorImpl.client_system_exception :
      JSAS0208E: Internal error: system exception.  Take down
      all the error information and contact support for more
      assistance.
.
   7>  2001-08-03 15:41:45.185 ,  ServerID: -1 ,
 SecureAssociationInterceptorImpl.client_demarshalled_response ,
Error code = 0:
      JSAS0300E: Invalid message type returned from target.
      Retry the operation after a few minutes.  If the problem
      persists, there should be messages on the server system
      which may give a better indication of what the problem is.
      Further tracing on the server may be necessary.  Contact
      support for assistance.
Problem conclusion Temporary fix Comments
APAR information
APAR number PQ51442
Reported component name WEBSPHERE AE AI
Reported component ID 5630A2200
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2001-08-14
Closed date 2001-08-23
Last modified date 2003-04-17

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
SECURITY          

Fix information
Fixed component name WEBSPHERE AE AI
Fixed component ID 5630A2200

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ51442
IBM Group: Software Group
Modified date: Apr 17, 2003