404 error if using HTTP 1.0 protocol, and Form Based authentication (APAR PQ77887)
 Technote (FAQ)
 
Problem
When using Form Based authentication for security, if the HTTP Host header field does not contain port information, HTTP requests will fail with a response code of 404 if the BBOC_HTTP_SSL_MODE=INTERNAL environment variable is not included in the current.env file.

Also, if the connection between a browser and the IBM HTTP Server are not the same type as the connection between the WebSphere HTTP Plug-in for z/OS and the HTTP Transport Handler (both either HTTP or HTTPS), any redirection or URL rewriting will cause subsequent requests to fail with a 404 error code.
 
Cause
The information about the WebSphere® HTTP Plug-in for z/OS® contained in WebSphere Application Server V4.0.1 for z/OS and OS/390: Assembling J2EE Applications states that the environment variable BBOC_HTTP_(SSL_)MODE=INTERNAL is needed "only if you intend to use private headers." It further states that "If you try to use private headers without adding this variable to the current.env file, WebSphere for z/OS might not be able to locate the requested application. WebSphere Application Server V4.0.1 for z/OS and OS/390: Assembling J2EE Applications does not explain:
 
Solution
The following information will be added to WebSphere Application Server V4.0.1 for z/OS and OS/390: Assembling J2EE Applications, SA22-7836-06:



In Chapter 4, the last bullet in the second note associated with Table 5, "Summary of the two Versions of the Web container security collaborator", will be to changed to the following:

Add the following environment variables to your J2EE server’s current.env. file:

ENABLE_TRUSTED_APPLICATIONS=1
BBOC_HTTP_SSL_MODE=INTERNAL (only required if you are using HTTP 1.0 protocol)

In Chapter 8, section "Setting up the WebSphere HTTP Plug-in for z/OS:"
  1. The description of the BBOC_HTTP_MODE=INTERNAL and/or BBOC_HTTP_SSL_MODE=INTERNAL environment variable included in Step 5 will be changed to the following:
These environment variables enable the HTTP(S) Transport Handler to trust private headers received from the HTTP Server’s plug-in, over the port specified on the BBOC_HTTP_PORT and/or BBOC_HTTP_SSL_PORT environment variables.

Notes:
  1. HTTP 1.0 protocol does not require an HTTPS request to include the port number in the HTTP Host header field. Therefore, if you are using HTTP 1.0 protocol, and Form Based authentication (or some other technique that involves redirection) for security, you must include the BBOC_HTTP_SSL_MODE=INTERNAL environment variable in the current.env file. This variable enables the Web container to obtain the port information, that it needs to perform the redirect, from the private headers if it has not been specified on the HTTP Host header field. (This is not a problem if you are using HTTP 1.1 protocol because that protocol requires the port information to be included on the HTTP Host header field.
  2. If you add either the BBOC_HTTP_MODE=INTERNAL or the BBOC_HTTP_SSL_MODE=INTERNAL environment variable to the current.env file, the HTTP(S) Transport Handler will trust all private headers it receives in HTTP or HTTPS requests, respectively. Therefore, you must ensure that there are no untrusted paths to the HTTP or HTTPS Transport Handler.
  3. The following new step will be added to this procedure:
The connection between the browser and the IBM HTTP Server and the connection between the plug-in and the HTTP Transport Handler must be the same type; either HTTP or HTTPS. If one of the connections is an HTTP connection, and the other is an HTTPS connection, any redirection or URL rewriting will cause subsequent requests to fail with a 404 error code.

In Appendix A, the following note will be added to the description of the BBOC_HTTP_SSL_MODE environment variable:
Note: This environment variable must be included in the curent.env file and set to Internal if you are using HTTP 1.0 protocol, and Form Based authentication (or some other technique that involves redirection) for security. The port information, that the Web container uses to redirect requests to the login form, is normally contained in private headers, which are ignored if this environment variable is not included.


This last change will also be made to the description of the BBOC_HTTP_SSL_MODE environment variable contained in Appendix . A of WebSphere Application Server V4.0.1 for z/OS and OS/390: Installation and Customization, GA22-7834-07.

NOTE: Periodically, we refresh the documentation on our Web site, so these changes might have been made before you read this text. To access the latest on-line documentation, go to the product library page at:

http://www.ibm.com/software/webservers/appserv/zos_os390/library/
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS > Security
Operating system(s): z/OS
Software version: 4.0.1
Software edition:
Reference #: 1143325
IBM Group: Software Group
Modified date: Sep 24, 2004