APAR status
Closed as program error.
Error description
Error Message: IBM JGSS does not read expected TGT from the credential cache file. . Stack Trace: <OSB>KRB_DBG_TGS<CSB> KrbTgsReq:main: >>>KrbTgsReq: asCreds.flags PRE-AUTHENT<OSB>KRB_DBG_TGS<CSB> KrbTgsReq:main: >>>KrbTgsReq: KDCOptions.FORWARDABLE, does not match that from asCreds.flags<OSB>KRB_DBG_TGS<CSB> TgsCredentials:main: >>>Credentials acquireSvcCreds: no tgt; searching backwards<OSB>KRB_DBG_TGS<CSB> TgsCredentials:main: >>>Credentials acquireSvcCreds: no tgt; cannot get credsjava.lang.Exception: No credentialat com.ibm.security.jgss.i18n.I18NException.throwException(I18NExce ption.java:21)at com.ibm.security.krb5.internal.n.d(n.java:161)at com.ibm.security.krb5.Credentials.acquireSvcCreds(Credentials.ja va:238)at com.ibm.security.jgss.mech.krb5.n.a(n.java:1955)at com.ibm.security.jgss.mech.krb5.n.initSecContext(n.java:1484)at com.ibm.security.jgss.GSSContextImpl.initSecContext(GSSContextIm pl.java:336)at com.ibm.security.jgss.GSSContextImpl.initSecContext(GSSContextIm pl.java:631)at com.ibm.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Gs sKrb5Client.java:174) .
Local fix
Problem summary
When there are multiple TGTs in credentials cache, IBM JGSS selects the first one for default realm. The first one may not be the TGT for the default realm.Need to add realm check when selecting the TGT for the default realm.
Problem conclusion
Check realm when selecting TGT from cache for the default realm.The corresponding Austin defect is 116417.The corresponding Hursley defect is 202679.The corresponding RTC Problem Report is 86289.Platform affected: All platforms.JVMs affected: 5.0, 6.0, 6.26, 7.0, 7.27.Jars affected: ibmjgssprovider.jar.The fix will be available in 150_SR16_FP10, 160_SR16_FP4, 626_SR8_FP4, 170_SR9, 727_SR3.Build level is 20150224. . This APAR will be fixed in the following Java Releases: 7 SR9 (7.0.9.0) 5.0 SR16 FP10 (5.0.16.10) 6 SR16 FP4 (6.0.16.4) 6 R1 SR8 FP4 (6.1.8.4) 7 R1 SR3 (7.1.3.0) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IV69929
Reported component name
SECURITY
Reported component ID
620700125
Reported release
600
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-02-25
Closed date
2015-03-04
Last modified date
2015-03-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
R260 PSY
UP
R600 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020