Fix (APAR): PH48187 Status: Fix Release: 22.0.0.7,22.0.0.6 Operating System: AIX,HP-UX,IBM i,Linux,OS X,Solaris,Windows,iOS,z/OS Supersedes Fixes: PH46073; PH47867 CMVC Defect: xxxxxx Byte size of APAR: 2696589 Date: 2022-08-09 Abstract: LTPAToken validation failure for users with space characters in the user name caused by PH47867 Description/symptom of problem: PH48187 resolves the following problem: ERROR DESCRIPTION: This APAR Work Item is for the following issue: https://github.com/OpenLiberty/open-liberty/issues/21837 LOCAL FIX: PROBLEM SUMMARY USERS AFFECTED: All users of IBM WebSphere Application Server Liberty - Security PROBLEM DESCRIPTION: LTPAToken validation failure for users with space characters in the user name caused by PH47867 RECOMMENDATION: None LTPAToken validation might fail for users with empty space characters in the username after an interim fix or fix pack containing APAR PH47867 is installed. * Users that perform a login to authenticate to one Liberty server might fail to authenticate to other Liberty servers by using their LTPAToken2. Users would need to login again on other Liberty servers. * If authentication cache is not enabled, a user can log in, but might fail to use their LTPAToken2 in subsequent requests to other servers or to the same server. In this case, the user might have to perform a new login on every request. * Users with at least one of the following empty space characters in their username are affected: Space character, tab character, newline character, carriage- return character, and form-feed character. * The username can be the short principal name or the full name of the user as in the DN for LDAP users. Error message that can be found in messages.log: CWWKS4001I: The security token cannot be validated. This can be for the following reasons 1. The security token was generated on another server using different keys. 2. The token configuration or the security keys of the token service which created the token has been changed. 3. The token service which created the token is no longer available. PROBLEM CONCLUSION: The Liberty runtime is updated to handle usernames containing empty space characters correctly. The fix for this APAR is currently targeted for inclusion in fix pack 22.0.0.9. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980 Directions to apply fix: Install Fix to all WebSphere installations unless special instructions are included below. Special Instructions: None NOTE: The user must: * Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V1.9.0 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required. The IBM Information Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes. http://www.ibm.com/support/knowledgecenter/SSDV2W_1.8.5/com.ibm.cic.agent.ui.doc/helpindex_imic.html. Shutdown WebSphere Application Server Liberty before applying the iFixes. Restart WebSphere Application Server Liberty after applying the iFixes. Directions to remove fix: The IBM Information Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes. http://www.ibm.com/support/knowledgecenter/SSDV2W_1.8.5/com.ibm.cic.agent.ui.doc/helpindex_imic.html. Shutdown WebSphere Application Server Liberty before removing the iFixes. Restart WebSphere Application Server Liberty after removing the iFixes. Directions to re-apply fix: 1) Shutdown WebSphere Application Server Liberty. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere Application Server Liberty. Additional Information: