PQ51442: CORRECT VARIOUS SECURITY PROBLEMS | |||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||
APAR status Closed as program error. Error description This APAR corrects various security problems with WebSphere Application Server AE. The following defects will be fixed: 110556.1 - This defect fixes the problem of mismatching LTPA keys and LTPA password that can happen when a new ltpa-password (different than the existing one) is used during XMLConfig import. This fix will generate the LTPA keys everytime an XMLConfig import is done and if the element ltpa-password is set in the XMLConfig import file, so that the LTPA keys and the LTPA password are in sync. These new keys will then need to be propagated to all existing WebSphere domains, if any, in order for security interoperability to work. This can be done using the export and import buttons in the Security Center GUI. Refer to the InfoCenter documentation for more information on generating, exporting and importing LTPA keys. If this fix is not applied and the LTPA password in the XMLConfig import file is different than the existing LTPA password (if any), the WebSphere Application Server adminServer will not come up. 110280 - In certain situations during adminServer bringup the sas.server.props can be truncated when some security exceptions are thrown. This defect fixes this problem. When this problem happens the adminServer will not be able to come up (it might prompt one to enter user name and password mutliple times). 110293 - When security is enabled, a java.lang.OutOfMemory exception may occur after a period of time because one of the security components is not releasing resources and thus eventually consumes all available memory. The symptoms of this problem include, steady increasing memory consumption by WebSphere Application servers, followed by the OutOfMemory exception, which will cause the application server process to terminate. 110671 - NO_PERMISSION not surfacing properly when programmatic login with a invalid user ID or invalid password. Symptoms are that a programmatic login in a servlet or EJB with a invalid user ID or invalid password may fail with a null pointer exception instead of the expected NO_PERMISSION exception. This problem was discovered when performing interoperability test between WebSphere and Component Broker. 110352 - Invalid used ID appears to pass authentication but fails with authorization failure. A client application may authenticate to WebSphere with an invalid user ID or password and instead of getting a CORBA NO_PERMISSION exception, the client will get an authorization exception on the first attempt to access a protected resource. The authorization exception will look something like: CNTR0019E: Non-application exception occurred while processing method create: com.ibm.websphere.csi.CSIException: SECJ0053E: Authorization failed for /UNAUTHENTICATED while invoking (Home)ejsadmin/homes/ClientAccessHome create:0 securityName: /UNAUTHENTICATED; accessID: UNAUTHENTICATED is not granted any of the required roles: AdminRole at com.ibm.ejs.security.SecurityCollaborator. performAuthorization(SecurityCollaborator.java:555)Local fix Problem summary This APAR corrects various security problems with WAS AE. The following defects will be fixed. 110556.1 - This defect fixes the problem of mismatching LTPA keys and LTPA password that can happen when a new ltpa-password (different than the existing one) is used during XMLConfig import. This fix will generate the LTPA keys everytime an XMLConfig import is done and if the element ltpa-password is set in the XMLConfig import file, so that the LTPA keys and the LTPA password are in sync. These new keys will then need to be propagated to all existing WebSphere domains (if any) in order for security interoperability to work. This can be done using the export and import buttons in the Security Center GUI. Refer to the InfoCenter documentation for more information on generating, exporting and importing LTPA keys. If this fix is not applied and the LTPA password in the XMLConfig import file is different than the existing LTPA password (if any), the WAS adminServer will not come up. . 110280 - In certain situations during adminServer bringup the sas.server.props can be truncated when some security exceptions are thrown. This defect fixes this problem. . When this problem happens the adminServer will not be able to come up (it might prompt one to enter user name and password mutliple times). 110293 - When security is enabled, a java.lang.OutOfMemory exception may occur after a period of time because one of the security components is not releasing resources and thus eventually consumes all available memory. The symptoms of this problem include, steady increasing memory the OutOfMemory exception, which will cause the application server process to terminate. . 110671 - NO_PERMISSION not surfacing properly when programmatic login with a invalid user ID or invalid password. Symptoms are a that a programmatic login in a servlet or EJB with a invalid user ID or invalid password may fail with a null pointer exception instead of the expected NO_PERMISSION exception. This problem was discovered when performing interoperability test between WebSphere and Component Broker. Also fixes: 110293.1 -- Multi-threaded Java client applications fail when WLM and security enabled. Also, you are strongly urged to also apply e-fix PQ51460 which corrects a problem in the container which is also required for a WLM and security enabled server to operate properly. Symptoms at the failing Java client side, may include the following messages: --------------------------------------------------------------- 3> 2001-08-03 15:40:13.794 , ServerID: -1 , CDRInputMessage.constructor : JSAS0208E: Internal error: system exception. Take down all the error information and contact support for more assistance. . 4> 2001-08-03 15:40:13.824 , ServerID: -1 , SecureAssociationInterceptorImpl.client_system_exception : JSAS0208E: Internal error: system exception. Take down all the error information and contact support for more assistance. . 7> 2001-08-03 15:41:45.185 , ServerID: -1 , SecureAssociationInterceptorImpl.client_demarshalled_response , Error code = 0: JSAS0300E: Invalid message type returned from target. Retry the operation after a few minutes. If the problem persists, there should be messages on the server system which may give a better indication of what the problem is. Further tracing on the server may be necessary. Contact support for assistance.Problem conclusion Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
|
Document Information |
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ51442
IBM Group: Software Group
Modified date: Apr 17, 2003
(C) Copyright IBM Corporation 2000, 2006. All Rights Reserved.