IBM Support

IJ29317: JAVA 1.8.0_261 JAVA SE RE 8.0.6.15 GSSCONTEXT CAN NOT BE ESTABLISHED WITH A VALID SPNEGO OR KERBEROS TOKEN

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Problem Summary:
    
    Per RFC-1510 The Kerberos Network Authentication Service (V5)
    the use of message sequence numbers is OPTIONAL.  If message
    sequence
    numbers are NOT used, the associated field in the Kerberos
    client Authenticatior is NULL.  The changes associated with
    PR142695 "Oracle Security
    Fix 8226352: Improve Kerberos interop capabilities" did not
    properly allow for the legacy JGSS component NULL sequence
    number handling.
    
    
    Error Message:
    
    java.lang.NullPointerException:
      at
    com.ibm.security.jgss.mech.krb5.Krb5Context.authenticate(Krb5Con
    text.java:2314)
      at
    com.ibm.security.jgss.mech.krb5.Krb5Context.acceptSecContext(Krb
    5Context.java:885)
      at
    com.ibm.security.jgss.mech.krb5.Krb5Context.acceptSecContext(Krb
    5Context.java:940)
      at
    com.ibm.security.jgss.mech.spnego.SPNEGOContext.processInitToken
    (SPNEGOContext.java:1303)
      at
    com.ibm.security.jgss.mech.spnego.SPNEGOContext.acceptSecContext
    (SPNEGOContext.java:660)
      at
    com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContext
    Impl.java:586)
      at
    com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContext
    Impl.java:493)
    

Local fix

  • n/a
    

Problem summary

  • Java.lang.NullPointerException in Krb5Context.authenticate()
    with NULL client message sequence number. 
    
    PROBLEM DESCRIPTION:
    
    Per RFC-1510 The Kerberos Network Authentication Service (V5)
    the use of message sequence numbers is OPTIONAL.  If message
    sequence
    numbers are NOT used, the associated field in the Kerberos
    client Authenticator is NULL.  The changes associated with
    PR142695 "Oracle Security Fix 8226352: Improve Kerberos interop
    capabilities" did not properly allow for the legacy JGSS
    component NULL sequence number handling.
    
    java.lang.NullPointerException:
        at
    com.ibm.security.jgss.mech.krb5.Krb5Context.authenticate(Krb5Con
    text.java:2314)
        at
    com.ibm.security.jgss.mech.krb5.Krb5Context.acceptSecContext(Krb
    5Context.java:885)
        at
    com.ibm.security.jgss.mech.krb5.Krb5Context.acceptSecContext(Krb
    5Context.java:940)
        at
    com.ibm.security.jgss.mech.spnego.SPNEGOContext.processInitToken
    (SPNEGOContext.java:1303)
        at
    com.ibm.security.jgss.mech.spnego.SPNEGOContext.acceptSecContext
    (SPNEGOContext.java:660)
        at
    com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContext
    Impl.java:586)
        at
    com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContext
    Impl.java:493)
    

Problem conclusion

  • Added Kerberos client Authenticator NULL sequence number
    handling to
    com.ibm.security.jgss.mech.krb5.Krb5Context.authenticate()
    
    The files affected by this APAR are:  ibmjgssprovider.jar (build
    build_20201120--28).
    The associated Hursley RTC Problem Report is 144525.
    The associated Austin Git issue is Issue# 1 for IBMJGSS.
    The associated Austin APAR issue is IJ29317.
    JVMs affected include: Java 8.0.
    The fix was delivered for Java 8.0 SR6 FP25.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ29317

  • Reported component name

    JAVA SECURE SOC

  • Reported component ID

    TIVSECJSS

  • Reported release

    600

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-11-17

  • Closed date

    2020-11-23

  • Last modified date

    2020-11-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    JAVA SECURE SOC

  • Fixed component ID

    TIVSECJSS

Applicable component levels

[{"Line of Business":{"code":null,"label":null},"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSWKFH","label":"Tivoli Components - Java Security"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"600"}]

Document Information

Modified date:
24 November 2020