IBM Support

IC76698: SPNEGO TOKEN GENERATED BY DATAPOWER INCOMPATIBLE WITH LATER FIXPACK LEVELS OF WEBSPHERE APPLICATION SERVER

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

Local fix

  • IZ86679 Fix is contained within the ibmjgssprovider.jar
    located in directory -
    
      \was_install_dir\java\jre\lib\ibmjgssprovider.jar
    
    Use of this jar obtained from a previous fixpack level can
    alleviate the error but also removes the closing of security
    exposure CVE-2010-1321 by APAR IZ86679 and hence should be
    evaluated with respect to the customer environment.
    

Problem summary

  • This APAR adds two new properties to the Kerberos Keytab
    configuration, one of which must be set for DataPower
    compatibility with WebSphere Application Server fix pack levels
    after JDK fix IZ86679 delivery in 6.1.0.35 & 7.0.0.15.
    
    The first property is "Generate GSS-API Checksum in AP-REQ" and
    defaults to off. Enable this property to generate an SPNEGO
    token that is compatible with the identified fix pack levels of
    WebSphere Application Server.
    
    The second property is "GSS-API Checksum Flags" is optional and
    typically can be left at its default settings. You might need to
    modify the bitmap for compatibility purposes with other Kerberos
    GSS-API endpoints that require specific checksum flag values.
    
    The new properties are documented in online help and information
    center.
    

Problem conclusion

  • The fix will be in 3.8.0.14 3.8.1.14 3.8.2.5 4.0.1.2
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC76698

  • Reported component name

    DATAPOWER

  • Reported component ID

    DP1234567

  • Reported release

    381

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2011-06-01

  • Closed date

    2011-07-28

  • Last modified date

    2011-08-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    DATAPOWER

  • Fixed component ID

    DP1234567

Applicable component levels

  • R381 PSY

       UP

  • R382 PSY

       UP

  • R401 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.8.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
11 February 2022