IC76698: SPNEGO TOKEN GENERATED BY DATAPOWER INCOMPATIBLE WITH LATER FIXPACK LEVELS OF WEBSPHERE APPLICATION SERVER

APAR status

Closed as program error.

Error description

When WebSphere Application Server is the consumer of SPNEGO
tokens generated by a DataPower appliance, the following error
may occur:

CWSPN0011E: An invalid SPNEGO token has been encountered while
authenticating a HttpServletRequest

This error is due to the addition of the
SDK fix that accompanied fixpack levels 6.1.0.35 and 7.0.0.15
and later of WebSphere Application Server:

http://www-01.ibm.com/support/docview.wss?uid=swg1IZ86679

For additional information, refer to:
http://www-01.ibm.com/support/docview.wss?uid=swg21501903

Local fix

IZ86679 Fix is contained within the ibmjgssprovider.jar
located in directory -

  \was_install_dir\java\jre\lib\ibmjgssprovider.jar

Use of this jar obtained from a previous fixpack level can
alleviate the error but also removes the closing of security
exposure CVE-2010-1321 by APAR IZ86679 and hence should be
evaluated with respect to the customer environment.

Problem summary

This APAR adds two new properties to the Kerberos Keytab
configuration, one of which must be set for DataPower
compatibility with WebSphere Application Server fix pack levels
after JDK fix IZ86679 delivery in 6.1.0.35 & 7.0.0.15.

The first property is "Generate GSS-API Checksum in AP-REQ" and
defaults to off. Enable this property to generate an SPNEGO
token that is compatible with the identified fix pack levels of
WebSphere Application Server.

The second property is "GSS-API Checksum Flags" is optional and
typically can be left at its default settings. You might need to
modify the bitmap for compatibility purposes with other Kerberos
GSS-API endpoints that require specific checksum flag values.

The new properties are documented in online help and information
center.

Problem conclusion

The fix will be in 3.8.0.14 3.8.1.14 3.8.2.5 4.0.1.2

Temporary fix

Comments

APAR Information

APAR number
IC76698
Reported component name
DATAPOWER
Reported component ID
DP1234567
Reported release
381
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2011-06-01
Closed date
2011-07-28
Last modified date
2011-08-02

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
DATAPOWER
Fixed component ID
DP1234567

Applicable component levels

R381 PSY
UP
R382 PSY
UP
R401 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.8.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
11 February 2022

Tips

IC76698: SPNEGO TOKEN GENERATED BY DATAPOWER INCOMPATIBLE WITH LATER FIXPACK LEVELS OF WEBSPHERE APPLICATION SERVER

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R381 PSY

R382 PSY

R401 PSY

Document Information

Share your feedback

Need support?