APAR status
Closed as program error.
Error description
When basic authentication is used in a REST call to the IBM Process Server installed as CP4BA on Openshift, the authentication may fail in rare cases because the Basic Authentication Trust Interceptor fails to decode the Zen JWT token. The same may also happen in the JAAS Login Module. You see in the logs: [2022-04-21T00:36:20.864+0000] 00000054 com.ibm.ws.webcontainer.security.internal.TAIAuthenticator E CWWKS9109E: An unexpected exception occurred during Trust Association. The exception is java.lang.IllegalArgumentException: Illegal base64 character 2d at java.util.Base64$Decoder.decode0(Base64.java:725) at java.util.Base64$Decoder.decode(Base64.java:537) at java.util.Base64$Decoder.decode(Base64.java:560) at com.ibm.dba.ums.wlp.tai.util.UMSIdToken.<init>(UMSIdToken.java:1 07) at com.ibm.dba.ums.wlp.tai.BasicAuthenticationTAI.getIntrospectInfo FromZenToken(BasicAuthenticationTAI.java:884) at com.ibm.dba.ums.wlp.tai.BasicAuthenticationTAI.callZenFlows(Basi cAuthenticationTAI.java:603) at com.ibm.dba.ums.wlp.tai.BasicAuthenticationTAI.authorize(BasicAu thenticationTAI.java:446) PRODUCTS AFFECTED IBM Cloud Pak for Business Automation
Local fix
N/A
Problem summary
The JWT standard (https://datatracker.ietf.org/doc/html/rfc7519) says: A JWT is represented as a sequence of URL-safe parts separated by period ('.') characters. Each part contains a base64url-encoded value. The code in the TAI and the JAAS login module deviate from this standard as it tries to decode base64-encoded values, not base64url-encoded values. The difference is only in two characters: The one expects - and _, the other expects + and / instead. PRODUCTS AFFECTED IBM Cloud Pak for Business Automation
Problem conclusion
The fix delivers a version of the Basic Authentication Trust Interceptor and the JAAS Login Module that use the correct decoder for JWT token.
Temporary fix
Not applicable
Comments
APAR Information
APAR number
JR64883
Reported component name
CLOUD PAK FOR A
Reported component ID
5737I2300
Reported release
L00
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-05-11
Closed date
2022-05-12
Last modified date
2022-05-12
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
CLOUD PAK FOR A
Fixed component ID
5737I2300
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBYVB","label":"IBM Cloud Pak for Business Automation"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"L00"}]
Document Information
Modified date:
13 May 2022