PQ55181: APAR TO PROVIDE TRUST ASSOCIATION INTERCEPTOR SUPPORT / FUNCTION WITHIN WEBSPHERE APPLICATION SERVER FOR Z/OS | |||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description This apar serves as a ship vehicle for providing Trust Association Interceptor Support within WebSphere Application Server V4.0.1 for z/OS and OS/390.Local fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * v4.0.1 for z/OS and OS/390. * * * **************************************************************** * PROBLEM DESCRIPTION: In addition to the authentication and * * authorization processing the Web * * container provides, your installation * * might want to use an external security * * product to perform authentication. * * WebSphere for z/OS enables the use of * * this type of external product through * * its Trust Association Interceptor (TAI) * * support. * **************************************************************** * RECOMMENDATION: * **************************************************************** A trust association interceptor is Java code that can be configured for use by WebSphere for z/OS at run time. When WebSphere for z/OS determines that it needs to perform authentication processing, it sends the input request to a configured trust association interceptor. The interceptor examines the content of the request and returns a string, containing the name of a user within the configured user registry. WebSphere for z/OS then treats the user as authenticated and makes that user name the principal of the current request. Any necessary access checks will be performed using that user name. If a trust interceptor does not indicate it has authenticated a user, WebSphere for z/OS will perform authentication according to the rules specified by the deployment descriptor in the web.xml file for the requested application.Problem conclusion Your installation might want to use a trust association interceptor if it has a third party security product acting as a reverse proxy in a DMZ. This third party product performs authentication of the Web clients within the DMZ and then forwards the request to WebSphere for z/OS for processing. The trust association interceptor that the third party security product provides must implement the TrustAssociationInterceptor class required by WebSphere for z/OS. This class, which is located in the Java package com.ibm.websphere.security, enables the third party product to indicate to WebSphere for z/OS that authentication processing has already been performed and to identify the authenticated user to WebSphere for z/OS. This prevents WebSphere for z/OS from redundantly trying to authenticate the client. A separate document, entitled "WebSphere Application Server v4.0.1 for z/OS and OS/390: Trust Association Interceptor is available for this APAR. To download the document, go to the following Web site, then click "Product information." http://www-4.ibm.com/software/webservers/appserv/zos_os390 /support.html At a later time, the information in this document will be integrated into the WebSphere for z/OS formal publications. To access the latest publications, go to the product library page at: http://www-4.ibm.com/software/webservers/appserv/zos_os390 This change affects COMPID 5655A9800 R401 for z/OS and OS/390. The code changes are stored in CMVC under defects PQ55181, 81535, 81581, 81712, 81929, 81965, 82047, 82049, 82050, 82371 82414, 82547, 82551, 82554, 82855. 401Y EJSJWCSC EJSJWCWC * Cross Reference between External and Internal NamesTemporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: UQ90049 Modules/Macros
|
Document Information |
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ55181
IBM Group: Software Group
Modified date: Jul 3, 2002
(C) Copyright IBM Corporation 2000, 2006. All Rights Reserved.