PQ68763: GETREMOTEUSER AND GETSUBJECTDN NOT WORKING WITH PLUGIN

 A fix may be available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
Customer is using the HTTP Server connected to a WAS via
PlugIn. The HTTP Server uses the SSL V3 for authentification,
with Userid %%CERTIF%% in the httpd.conf file.
  Customer attempts to retrieve the USERID from the servlet
with getRemoteUser or with getUserPrincipal method, but always
receives a NULL userid.
  Customer deployed .ear with the security definitions and
tried to use it with 3 different configurations in the
httpd.conf file (%%CLIENT%%, %%CERTIF%% and PUBLIC). None
returned a non-NULL USERID.
   Customer wants:
1) The browser to connect to the HTTP Server using HTTPS and
   supply a client certificate.
2) The HTTP Server authenticate the user with the certificate.
3) From the certificate, the HTTP Server determine the RACF
   USERID certificate is mapped with a Userid with RACDCERT)
4) This userid should be propagated to the WAS.
5) The servlet must read this USERID with the GetRemoteUser
6) The customer is attempting to retrieve the DN ultimately.
    The customer also attempts to use getSubjectDN() and
this also fails. Essentially, he wants the entire certificate
returned.
    Therefore, the customer requessts the ability to use
both the getRemoteUser() and getSubjectDN() when running
with the PlugIn.
Local fix
Configure and use HTTP Transport Handler.
Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V4.0.1 for z/OS and OS/390 using local       *
*                 redirector plug-in and HTTPS Client          *
*                 Authentication may be affected.              *
****************************************************************
* PROBLEM DESCRIPTION: null was returned from WebSphere        *
*                      Application Server in the following     *
*                      calls inside a request received via the *
*                      local redirector plug-in for a HTTPS    *
*                      Client Authentication Web application:  *
*                        request.getAttribute("javax.net.ssl.  *
*                                              cipher_suite"); *
*                        request.getAttribute("javax.net.ssl.  *
*                                         peer_certificates"); *
*                        request.getRemoteUser();              *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When an HTTPS Client Authentication Web application request is
received via the local redirector plug-in, the local redirector
plug-in requests client's certificate, verifies that it is
valid, and maps it to an z/OS or OS/390 user ID.

But the certificate, cipher_suite, and the matched user ID
information are not forwarded to the WebSphere Application
Server Web container. Therefore, the following requests will
fail:
  request.getAttribute("javax.net.ssl.
                        cipher_suite");
  request.getAttribute("javax.net.ssl.
                   peer_certificates");
  request.getRemoteUser();
Problem conclusion
WebSphere Application Server local redirector plug-in has been
changed to forward the client's certificate, cipher_suite, and
the matched user ID information to the Web container for any
HTTPS Client Authentication web application request after the
certificate has been successfully authenticated.

APAR PQ68763 is associated with SERVICE LEVEL W401408 of
WebSphere Application Server V4.0.1 for z/OS and OS/390.
Temporary fix Comments
APAR information
APAR number PQ68763
Reported component name WEBSPHERE OS/39
Reported component ID 5655A9800
Reported release 401
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2002-12-03
Closed date 2003-01-21
Last modified date 2003-02-05

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
EJSCASIN EJSCCLAS EJSCCMSV EJSCCNFG EJSCJNUT EJSCJNWR
EJSCLOAD EJSCLOGR EJSCOEUT EJSCOSUT EJSCPLUG EJSCPLUT
EJSCPOOL EJSCPROP EJSCRULS EJSCSTUB EJSCSVHS EJSCVALD
EJSCVERS EJSCWSUT EJSJWBJR EJSJWCSC EJSJWCWC EJSLNLS
EJSTLDAT EJSXASIN EJSXJVMX      

Fix information
Fixed component name WEBSPHERE OS/39
Fixed component ID 5655A9800

Applicable component levels
R401 PSY UQ73459    UP03/01/28 P F301

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ68763
IBM Group: Software Group
Modified date: Feb 5, 2003