PQ54343: 500 ERROR REQUESTING A FORM-BASED LOGIN WHEN LOGIN-TOKEN IS ENCRYPTED

 A fix may be available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
Form-based Login tokens are currently not able to be encrypted
or shared across Servers. When a request for a Form-based Login
is submitted to a Web container which has indicated the
Login-Token is encrypted, the request will throw a 500 HTTP
Response code.
Local fix
Users who wish to make use of Form-Based Login can do
so if they indicate that tokens are not to be encrypted. When
running in this mode it is required that all requests that will
use the login-token come through a single OS/390 HTTP
Server address space running the WebSphere V4.0.1 Plug-In code.
It is not recommended to run with unencrypted tokens in a
production environment.
Problem summary
****************************************************************
* USERS AFFECTED: All users of the WebSphere Application       *
*                 Server Version 4.0.1 for z/OS and OS/390     *
*                 may be affected.                             *
****************************************************************
* PROBLEM DESCRIPTION: Status code 500 is returned to the      *
*                      client when Form-based Login tokens     *
*                      are requested to be encrypted.          *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The code to use Integrated Cryptographic Service Facility (ICSF)
on z/OS and OS/390 was not implemented in the previous version
of WebSphere Application Server Version 4.0.1.  When the
property WebAuth.LoginToken.Encrypt=true in webcontainer.conf,
a status code 500 is returned.
Problem conclusion
This APAR provides support for encrypting LogIn tokens before
exporting them from the Server.  WebSphere will make use of
Encryption keys that are stored in ICSF.  The WebSphere
Servers will use these keys at runtime to secure the contents
of the tokens prior to sending to the client.  These keys can
be made accessible to all WebSphere Servers within the sysplex.

Internal defect 79022 implements the ICSF support in the
WebSphere Application Server Version 4.0.1.

To encrypt the LoginToken, ICSF must be available and active on
your z/OS or OS/390 system.  A key label must be predefined
using ICS Key Generator Utility Program (KGUP). Please see ICSF
manual Administrator's Guide (SC23-3975) for details.

A key label can consist of up to 64 characters.  The first
character must be alphabetic or national (#,$,@).  The rest can
be alphanumeric, national, or a period(.).

Following is a simple example of control statements used by KGUP
to generate a key label MYKEYLABEL:

        ADD TYPE(DATA) LENGTH(24),
        CLEAR DES,
         LAB(MYKEYLABEL)

Add the following two properties to the webcontainer.conf file:
   WebAuth.LoginToken.Encrypt=true
   WebAuth.EncryptionKeyLabel=MYKEYLABEL
for WebSphere Application Server to use ICSF to encrypt/decrypt
LoginToken with key label MYKEYLABEL.

COMPID 5655A9800, R401 is affected by these changes.

401Y
EJSCASIN
EJSCCLAS
EJSCCMSV
EJSCCNFG
EJSCJNUT
EJSCJNWR
EJSCLOAD
EJSCLOGR
EJSCOEUT
EJSCOSUT
EJSCPLUG
EJSCPLUT
EJSCPOOL
EJSCPROP
EJSCRULS
EJSCSTUB
EJSCSVHS
EJSCVALD
EJSCVERS
EJSCWSUT
EJSJWBJR
EJSLNLS
EJSTLDAT
EJSXASIN
EJSXJVMX

* Cross Reference between External and Internal Names
Temporary fix Comments
APAR information
APAR number PQ54343
Reported component name WEBSPHERE OS/39
Reported component ID 5655A9800
Reported release 401
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2001-11-05
Closed date 2002-01-03
Last modified date 2002-02-02

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
EJSCASIN EJSCCLAS EJSCCMSV EJSCCNFG EJSCJNUT EJSCJNWR
EJSCLOAD EJSCLOGR EJSCOEUT EJSCOSUT EJSCPLUG EJSCPLUT
EJSCPOOL EJSCPROP EJSCRULS EJSCSTUB EJSCSVHS EJSCVALD
EJSCVERS EJSCWSUT EJSJWBJR EJSLNLS EJSTLDAT EJSXASIN
EJSXJVMX          

Fix information
Fixed component name WEBSPHERE OS/39
Fixed component ID 5655A9800

Applicable component levels
R401 PSY UQ61610    UP02/01/21 P F201

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ54343
IBM Group: Software Group
Modified date: Feb 2, 2002