Direct links to fixes
APAR status
Closed as program error.
Error description
Multi-Enterprise Integration Gateway 1.0.0.1 Verification of the digest against its SAML is failing within a specific Auth Proxy located downstream from Multi- Enterprise Integration Gateway (MEIG). Within the Authentication User Exit, the Decrypted Assertion is inserted into the Security Assertion Markup Language (SAML) element of the Business Document Object (BDO) using the bdo.setSAMLAssertion() method. The assertion is passed as a string with '<' and '>' escaped. This string is then passed into the wsse:Security header of the SOAP request that passes through the Auth Proxy. Then running the DocumentKeywordReplace service on the SOAP request is executed to convert these characters back, resulting in a legal XML request. There is an expectation that the SAML assertion to be byte-for-byte identical to the string output of the SAML decryption step within the Authentication User Exit. However, the Auth Proxy cannot verify the SAML against its digest which indicates that at some point the SAML is changing. When the Encypted Assertion is intercepted before reaching MEIG, decryption and verification against the digest can always be successfully completed without issue. Additionally, digest verification within the user exit can always be completed without error. Therefore, it can be confidently concluded that the issue is introduced when the SAML is inserted into the BDO.
Local fix
STRRTC - 27381 DW / DW Circumvention: Send the SAML as a Message Property (within the BDO) after it is decrypted in the user exit. The SAML send in the Message Properties is then added to the SAML tag within the BDO by SI (Request router) to Auth Proxy. This request passes successfully through the Auth Proxy without any issues.
Problem summary
Incorrect processing of SAML token passed to user-exit.
Problem conclusion
Corrected the processing of SAML tokens that are passed to user-exits.
Temporary fix
ECUREP: /ecurep/fromibm/other/b2bcommerce/meig/PMR_20263,102,616/MEG-1.0 .0.1-MediaImage.zip
Comments
APAR Information
APAR number
IT04123
Reported component name
MULTI-ENT INT G
Reported component ID
5725Q7200
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-09-02
Closed date
2014-09-30
Last modified date
2014-10-14
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
COMMS
Fix information
Fixed component name
MULTI-ENT INT G
Fixed component ID
5725Q7200
Applicable component levels
R100 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYJCD","label":"IBM Multi-Enterprise Integration Gateway"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.0.0","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
Document Information
Modified date:
14 October 2014