IC98670: DATAPOWER DOES NOT VALIDATE AND ACCEPT OAUTH TOKEN WHICH IS URL SAFE BASED ON RFC 4648 SPECIFICATIONS

Fix packs for DataPower XML Security Gateway version 6.0
Fix packs for DataPower B2B Appliance version 6.0
Fix packs for DataPower Integration Appliance version 6.0
Fix packs for DataPower Low Latency Appliance version 6.0
Fix packs for DataPower Service Gateway version 6.0
Fix packs for DataPower Service Gateway version 6.0.1
Fix packs for DataPower B2B Appliance version 6.0.1
Fix packs for DataPower Integration Appliance version 6.0.1

APAR status

• Closed as program error.

Error description

• The DataPower 7.0 firmware generates OAuth token "url safe" per
  RFC 4648.
  
  In a cluster environment, if the 7.0 generated token is
  used/verified by a prior firmware, crypto verification (decrypt
  and verify) fails if the token contains "/" or "+".
  

Local fix

Problem summary

• Token validation might fail if the token is not URL-encoded but
  safe per RFC 4648.
  
  For a pre-7.0 releases of DataPower to verify the tokens
  generated by firmware 7.0, this fix is required.
  
  Tokens generated using pre-7.0 firmware releases of DataPower
  still need to be url-encoded.
  

Problem conclusion

• Fix is available in 5.0.0.14, 6.0.0.6, and 6.0.1.2.
  
  
  For a list of the latest fix packs available, please see:
  http://www-01.ibm.com/support/docview.wss?uid=swg21237631
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  DATAPOWER

• Fixed component ID

  DP1234567

Applicable component levels

• R500 PSY

     UP

• R600 PSY

     UP

• R601 PSY

     UP