APAR status
Closed as unreproducible in next release.
Error description
When WebSEAL is checking whether the port you specify when configuring ports, e.g. 80 and 443 for http and https, it can fail if there is an established connections to/from *anything* with the same port, even if it s for a different ip-adress than the one you specify that webseal will use. I believe that this can be fixed with using a setsockopt before doing a bind, because it does not fail when *starting* webseal, and that seems to be the only difference, syscall-wise, between the procedure in setting up the port. All the gory details: Ifconfig a: root@ono /heim/et2692 $ ifconfig -a lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 bge0: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2 inet 10.193.9.88 netmask ffffff00 broadcast 10.193.9.255 ether 0:3:ba:ed:b6:fd bge0:1: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2 inet 10.193.9.172 netmask ffffff00 broadcast 10.193.9.255 bge0:2: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2 inet 10.193.9.136 netmask ffffff00 broadcast 10.193.9.255 bge0:3: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2 inet 10.193.9.21 netmask ffffff00 broadcast 10.193.9.255 bge0:4: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2 inet 10.193.9.190 netmask ffffff00 broadcast 10.193.9.255 bge1: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 3 inet 10.154.121.16 netmask ffffff00 broadcast 10.154.121.255 ether 0:3:ba:ed:b6:fe What listens on port 80/443 on the machine: 10.193.9.172.80 *.* 0 0 49152 0 LISTEN 10.193.9.172.443 *.* 0 0 49152 0 LISTEN 10.193.9.88.80 *.* 0 0 49152 0 LISTEN 10.193.9.88.443 *.* 0 0 49152 0 LISTEN 10.193.9.21.80 *.* 0 0 49152 0 LISTEN 10.193.9.21.443 *.* 0 0 49152 0 LISTEN Established connections: root@ono /heim/et2692 $ netstat -an | egrep '\.80|\.443' | grep EST 10.193.9.88.443 10.196.3.73.2546 63238 0 49640 0 ESTABLISHED 10.193.9.88.22 10.196.3.174.4438 64512 0 49640 0 ESTABLISHED Running: WebSEAL-instances: root@ono /heim/et2692 $ ps -fu ivmgr UID PID PPID C STIME TTY TIME CMD ivmgr 19832 1 0 14:09:30 ? 0:10 /opt/pdweb/bin/webseald -config etc/webseald-avtalebank.conf ivmgr 19842 1 0 14:09:37 ? 1:25 /opt/pdweb/bin/webseald -config etc/webseald-default.conf ivmgr 19813 1 0 14:09:22 ? 0:04 /opt/PolicyDirector/bin/pdacld ivmgr 22879 1 0 12:11:58 ? 0:02 /opt/pdweb/bin/webseald -config etc/webseald-streaming.dnbnor.no.conf Procedure configuring another webseal. Please note that port 80 seems to work, while 443 fails, which leads me to believe that it s already established connections to a different ip-adress, not ports listened to, that matters, since there is no connections towards any port 80, but there is both ports listened to and an established connection towards a port 443. . Reproduction: 14:56:23 root@tokuso /heim/et2692 # ifconfig -a lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 10.193.8.123 netmask ffffff00 broadcast 10.193.8.255 ether 0:3:ba:3b:31:23 bge0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 10.193.8.6 netmask ffffff00 broadcast 10.193.8.255 bge1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 10.154.119.123 netmask ffffff00 broadcast 10.154.119.255 ether 0:3:ba:3b:31:24 Access Manager WebSEAL Setup Menu 1. Configure 2. Unconfigure 3. Display Configuration Status x. Return to Access Manager Setup Menu Please select the menu item [x]: 1 Enter WebSEAL instance name [default]: test1 Use logical network interface (y/n) [n]? y Enter IP address of logical network interface (xxx.xxx.xxx.xxx): 10.193.8.6 Enter WebSEAL hostname [tokuso]: Enter WebSEAL listening port [7234]: Enter administrator ID [sec_master]: Enter administrator password: Enable SSL communication with the LDAP server (y/n) [y]? n Allow HTTP access (y/n) [y]? y Enter HTTP port [80]: Allow secure HTTPS access (y/n) [y]? Enter HTTPS port [443]: Enter Web document root directory [/opt/pdweb/www-test1/docs]: Configuring WebSEAL instance 'test1'... Starting the: webseald-test1 The WebSEAL instance 'test1' has been successfully configured. Press <Enter> to continue... No connection to any: Access Manager WebSEAL Setup Menu 1. Configure 2. Unconfigure 3. Display Configuration Status x. Return to Access Manager Setup Menu Please select the menu item [x]: 1 Enter WebSEAL instance name: test2 Use logical network interface (y/n) [n]? y Enter IP address of logical network interface (xxx.xxx.xxx.xxx): 10.193.8.123 Enter WebSEAL hostname [tokuso]: Enter WebSEAL listening port [7235]: Enter administrator ID [sec_master]: Enter administrator password: Enable SSL communication with the LDAP server (y/n) [y]? n Allow HTTP access (y/n) [y]? Enter HTTP port [80]: Allow secure HTTPS access (y/n) [y]? Enter HTTPS port [443]: Enter Web document root directory [/opt/pdweb/www-test2/docs]: Configuring WebSEAL instance 'test2'... Starting the: webseald-test2 The WebSEAL instance 'test2' has been successfully configured. Press <Enter> to continue... Unconfiguring, telnetting to 10.193.8.6 port 443, leaving open?. vegard@rapputoppu:~$ telnet 10.193.8.6 443 Trying 10.193.8.6... Connected to 10.193.8.6. Escape character is '^]'. And: Access Manager WebSEAL Setup Menu 1. Configure 2. Unconfigure 3. Display Configuration Status x. Return to Access Manager Setup Menu Please select the menu item [x]: 1 Enter WebSEAL instance name: test2 Use logical network interface (y/n) [n]? y Enter IP address of logical network interface (xxx.xxx.xxx.xxx): 10.193.8.123 Enter WebSEAL hostname [tokuso]: Enter WebSEAL listening port [7235]: Enter administrator ID [sec_master]: Enter administrator password: Enable SSL communication with the LDAP server (y/n) [y]? n Allow HTTP access (y/n) [y]? Enter HTTP port [80]: Allow secure HTTPS access (y/n) [y]? Enter HTTPS port [444]: 443 2010-05-21-15:03:37.873+02:00I----- 0x389D51D2 amwebcfg ERROR wcf Error WebCfgMain.cpp 2497 0x00000001 DPWCF0466E Port '443' is already in use. See Work Item XX00408 Bill Hannon Added if validatePortInUse() was passed an additional true/false parameter then in validConfigInputs() under "if ( configValues->nwinterYN_ )" value could be true else value could be false The logic of validatePortInUse() would then have to be modified to handle this case.
Local fix
n/a
Problem summary
This issue has been unrecreatable in the L3 lab environment. Platforms tested include Solaris 10, Windows, AIX , and Linux. We were able to successfully configure two instanc es on different network interfaces on the same HTTP and DHTTPS p orts off the same box in every case.
Problem conclusion
Temporary fix
Comments
APAR Information
APAR number
IZ78449
Reported component name
ACCESS MGR WEBS
Reported component ID
5724C0811
Reported release
600
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-07-01
Closed date
2010-10-22
Last modified date
2010-10-22
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
ACCESS MGR WEBS
Fixed component ID
5724C0811
Applicable component levels
R600 PSN
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"600","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Document Information
Modified date:
22 October 2010