PQ66136: SSO (SINGLE SIGNON) FROM WEBSPHERE APPLICATION SERVER (WAS) TO DOMINO SERVER FAILS WHEN THE USER NAME CONTAINS DBCS

 A fix is available

4.0.5: WebSphere Application Server Version 4.0 Fix Pack 5 (Version 4.0.5)



APAR status
Closed as program error.

Error description
With user info( such as first name or last name)
in DBCS chinese characters, after login to
the WPS or WAS successfuly, then when access the
domino web server, domino will challege the user
with a login page with  error msg
"Your session with the server has expired or is invalid".
But when SSO from one WPS server to the other WPS server
 or SSO from one WAS server to the other WAS was fine.
when the user info totally in english charcters (SBCS),
the SSO from WAS or WPS to domino is fine, and so do
from domino to WAS/WPS is fine.   The problem only happens
 when user info has chinese field ( uid is in english, but
 first name or last name is in chinese DBCS chars ).
.
WAS Change Team (L3) supplied an efix and it fixed the problem.
.
The root cause for this defect is that WebSphere and Domino
calculate digital signature differently if user name
contains dbcs. While converting user name to byte array to
calculate digital signature,websphere treated every character
 as single byte character. With this fix, Websphere is now
 using UTF8 to calculate digital signature.
Local fix
request a copy of the efix from WAS C/T.
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server security        *
*                 customers who use double byte characters     *
*                 in user's security name.                     *
****************************************************************
* PROBLEM DESCRIPTION: SSO between WebSphere and non           *
*                      WebSphere products(such as Domino)      *
*                      fails if user security name contains    *
*                      double byte characters.                 *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
SSO between websphere and non WebSphere products fails if
security name contains double byte character. The root cause
is was a difference in algorithms used to create digital
signatures.
Problem conclusion
Change WebSphere security to follow UTF8 conversion rule to
calculate digital signature. First using UTF8 rule to convert
user name to a byte array, then caclulate digital signature
from the byte array.
Temporary fix
provide test eFix
Comments
APAR information
APAR number PQ66136
Reported component name WEBSPHERE AE AI
Reported component ID 5630A2200
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2002-09-12
Closed date 2002-09-12
Last modified date 2002-09-12

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:
PQ61389

Modules/Macros
SECURITY          

SRLS

Fix information
Fixed component name WEBSPHERE AE AI
Fixed component ID 5630A2200

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ66136
IBM Group: Software Group
Modified date: Sep 12, 2002