PQ55181: APAR TO PROVIDE TRUST ASSOCIATION INTERCEPTOR SUPPORT / FUNCTION WITHIN WEBSPHERE APPLICATION SERVER FOR Z/OS

 A fix may be available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
This apar serves as a ship vehicle for providing Trust
Association Interceptor Support within WebSphere
Application Server V4.0.1 for z/OS and OS/390.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 v4.0.1 for z/OS and OS/390.                  *
*                                                              *
****************************************************************
* PROBLEM DESCRIPTION: In addition to the authentication and   *
*                      authorization processing the Web        *
*                      container provides, your installation   *
*                      might want to use an external security  *
*                      product to perform authentication.      *
*                      WebSphere for z/OS enables the use of   *
*                      this type of external product through   *
*                      its Trust Association Interceptor (TAI) *
*                      support.                                *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
A trust association interceptor is Java code that can be
configured for use by WebSphere for z/OS at run time. When
WebSphere for z/OS determines that it needs to perform
authentication processing, it sends the input request to
a configured trust association interceptor. The interceptor
examines the content of the request and returns a string,
containing the name of a user within the configured user
registry. WebSphere for z/OS then treats the user as
authenticated and makes that user name the principal of the
current request. Any necessary access checks will be performed
using that user name. If a trust interceptor does not indicate
it has authenticated a user, WebSphere for z/OS will perform
authentication according to the rules specified by the
deployment descriptor in the web.xml file for the
requested application.
Problem conclusion
Your installation might want to use a trust association
interceptor if it has a third party security product acting as a
reverse proxy in a DMZ. This third party product performs
authentication of the Web clients within the DMZ and
then forwards the request to WebSphere for z/OS for processing.
The trust association interceptor that the third party security
product provides must implement the TrustAssociationInterceptor
class required by WebSphere for z/OS. This class, which is
located in the Java package com.ibm.websphere.security, enables
the third party product to indicate to WebSphere for z/OS that
authentication processing has already been performed and to
identify the authenticated user to WebSphere for z/OS. This
prevents WebSphere for z/OS from redundantly trying
to authenticate the client.

A separate document, entitled "WebSphere Application Server
v4.0.1 for z/OS and OS/390: Trust Association Interceptor
is available for this APAR. To download the document,
go to the following Web site, then click "Product information."

http://www-4.ibm.com/software/webservers/appserv/zos_os390
/support.html
At a later time, the information in this document will
be integrated into the WebSphere for z/OS formal
publications. To access the latest publications, go to
the product library page at:

http://www-4.ibm.com/software/webservers/appserv/zos_os390

This change affects COMPID 5655A9800 R401 for z/OS and OS/390.
The code changes are stored in CMVC under defects PQ55181,
81535, 81581, 81712, 81929, 81965, 82047, 82049, 82050, 82371
82414, 82547, 82551, 82554, 82855.

401Y
EJSJWCSC
EJSJWCWC

* Cross Reference between External and Internal Names
Temporary fix Comments
APAR information
APAR number PQ55181
Reported component name WEBSPHERE OS/39
Reported component ID 5655A9800
Reported release 401
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2001-11-26
Closed date 2002-06-17
Last modified date 2002-07-03

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:
UQ90049

Modules/Macros
EJSJWCSC EJSJWCWC        

Fix information
Fixed component name WEBSPHERE OS/39
Fixed component ID 5655A9800

Applicable component levels
R401 PSY UQ90049    UP02/06/28 P F206

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ55181
IBM Group: Software Group
Modified date: Jul 3, 2002