PQ68763: GETREMOTEUSER AND GETSUBJECTDN NOT WORKING WITH PLUGIN | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description Customer is using the HTTP Server connected to a WAS via PlugIn. The HTTP Server uses the SSL V3 for authentification, with Userid %%CERTIF%% in the httpd.conf file. Customer attempts to retrieve the USERID from the servlet with getRemoteUser or with getUserPrincipal method, but always receives a NULL userid. Customer deployed .ear with the security definitions and tried to use it with 3 different configurations in the httpd.conf file (%%CLIENT%%, %%CERTIF%% and PUBLIC). None returned a non-NULL USERID. Customer wants: 1) The browser to connect to the HTTP Server using HTTPS and supply a client certificate. 2) The HTTP Server authenticate the user with the certificate. 3) From the certificate, the HTTP Server determine the RACF USERID certificate is mapped with a Userid with RACDCERT) 4) This userid should be propagated to the WAS. 5) The servlet must read this USERID with the GetRemoteUser 6) The customer is attempting to retrieve the DN ultimately. The customer also attempts to use getSubjectDN() and this also fails. Essentially, he wants the entire certificate returned. Therefore, the customer requessts the ability to use both the getRemoteUser() and getSubjectDN() when running with the PlugIn.Local fix Configure and use HTTP Transport Handler.Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V4.0.1 for z/OS and OS/390 using local * * redirector plug-in and HTTPS Client * * Authentication may be affected. * **************************************************************** * PROBLEM DESCRIPTION: null was returned from WebSphere * * Application Server in the following * * calls inside a request received via the * * local redirector plug-in for a HTTPS * * Client Authentication Web application: * * request.getAttribute("javax.net.ssl. * * cipher_suite"); * * request.getAttribute("javax.net.ssl. * * peer_certificates"); * * request.getRemoteUser(); * **************************************************************** * RECOMMENDATION: * **************************************************************** When an HTTPS Client Authentication Web application request is received via the local redirector plug-in, the local redirector plug-in requests client's certificate, verifies that it is valid, and maps it to an z/OS or OS/390 user ID. But the certificate, cipher_suite, and the matched user ID information are not forwarded to the WebSphere Application Server Web container. Therefore, the following requests will fail: request.getAttribute("javax.net.ssl. cipher_suite"); request.getAttribute("javax.net.ssl. peer_certificates"); request.getRemoteUser();Problem conclusion WebSphere Application Server local redirector plug-in has been changed to forward the client's certificate, cipher_suite, and the matched user ID information to the Web container for any HTTPS Client Authentication web application request after the certificate has been successfully authenticated. APAR PQ68763 is associated with SERVICE LEVEL W401408 of WebSphere Application Server V4.0.1 for z/OS and OS/390.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
|
Document Information |
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ68763
IBM Group: Software Group
Modified date: Feb 5, 2003
(C) Copyright IBM Corporation 2000, 2006. All Rights Reserved.