PQ54343: 500 ERROR REQUESTING A FORM-BASED LOGIN WHEN LOGIN-TOKEN IS ENCRYPTED | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description Form-based Login tokens are currently not able to be encrypted or shared across Servers. When a request for a Form-based Login is submitted to a Web container which has indicated the Login-Token is encrypted, the request will throw a 500 HTTP Response code.Local fix Users who wish to make use of Form-Based Login can do so if they indicate that tokens are not to be encrypted. When running in this mode it is required that all requests that will use the login-token come through a single OS/390 HTTP Server address space running the WebSphere V4.0.1 Plug-In code. It is not recommended to run with unencrypted tokens in a production environment.Problem summary **************************************************************** * USERS AFFECTED: All users of the WebSphere Application * * Server Version 4.0.1 for z/OS and OS/390 * * may be affected. * **************************************************************** * PROBLEM DESCRIPTION: Status code 500 is returned to the * * client when Form-based Login tokens * * are requested to be encrypted. * **************************************************************** * RECOMMENDATION: * **************************************************************** The code to use Integrated Cryptographic Service Facility (ICSF) on z/OS and OS/390 was not implemented in the previous version of WebSphere Application Server Version 4.0.1. When the property WebAuth.LoginToken.Encrypt=true in webcontainer.conf, a status code 500 is returned.Problem conclusion This APAR provides support for encrypting LogIn tokens before exporting them from the Server. WebSphere will make use of Encryption keys that are stored in ICSF. The WebSphere Servers will use these keys at runtime to secure the contents of the tokens prior to sending to the client. These keys can be made accessible to all WebSphere Servers within the sysplex. Internal defect 79022 implements the ICSF support in the WebSphere Application Server Version 4.0.1. To encrypt the LoginToken, ICSF must be available and active on your z/OS or OS/390 system. A key label must be predefined using ICS Key Generator Utility Program (KGUP). Please see ICSF manual Administrator's Guide (SC23-3975) for details. A key label can consist of up to 64 characters. The first character must be alphabetic or national (#,$,@). The rest can be alphanumeric, national, or a period(.). Following is a simple example of control statements used by KGUP to generate a key label MYKEYLABEL: ADD TYPE(DATA) LENGTH(24), CLEAR DES, LAB(MYKEYLABEL) Add the following two properties to the webcontainer.conf file: WebAuth.LoginToken.Encrypt=true WebAuth.EncryptionKeyLabel=MYKEYLABEL for WebSphere Application Server to use ICSF to encrypt/decrypt LoginToken with key label MYKEYLABEL. COMPID 5655A9800, R401 is affected by these changes. 401Y EJSCASIN EJSCCLAS EJSCCMSV EJSCCNFG EJSCJNUT EJSCJNWR EJSCLOAD EJSCLOGR EJSCOEUT EJSCOSUT EJSCPLUG EJSCPLUT EJSCPOOL EJSCPROP EJSCRULS EJSCSTUB EJSCSVHS EJSCVALD EJSCVERS EJSCWSUT EJSJWBJR EJSLNLS EJSTLDAT EJSXASIN EJSXJVMX * Cross Reference between External and Internal NamesTemporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
|
Document Information |
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ54343
IBM Group: Software Group
Modified date: Feb 2, 2002
(C) Copyright IBM Corporation 2000, 2006. All Rights Reserved.