IBM Support

PH01676: CREATEKRBCONFIGFILE COMMAND LEAVES PIPE CHARACTER IN KERBEROS CONFIG FILE FOR ENCRYPT TYPES

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • If multiple encryption types are specified in
    createKrbConfigFile, Kerberos config file ends up with invalid
    encryption type
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: createKrbConfigFile command leaves      *
    *                      pipe characters in                      *
    *                      krb5.ini/krb5.conf file if              *
    *                      multiple encryption types are           *
    *                      specified                               *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When createKrbConfigFile is called with multiple encryption
    types with pipe characters as a separator, the output kerberos
    configuration file still keep the pipe character where correct
    format is to separate encryption types with space.
    Example:
    When following command is issued:
    $AdminTask createKrbConfigFile {-krbPath
    "C:\test\krb5.conf" -realm AUSTIN.IBM.COM -kdcHost
    ram.austin.ibm.com -dns austin.ibm.com -encryption
    aes128-cts-hmac-sha1-96|aes256-cts-hmac-sha1-96 -keytabPath
    "c:\test\test.keytab"}
    Without this apar (pipe character "|" remains)
    [libdefaults]
    default_tkt_enctypes =
    aes128-cts-hmac-sha1-96|aes256-cts-hmac-sha1-96
    With this apar (encryption type is separated by space)
    [libdefaults]
    default_tkt_enctypes =
    aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
    

Problem conclusion

  • The bug was fixed so encryption types are correctly set in the
    Kerberos configuration file
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.5.15 and 9.0.0.10.  Please refer to the
    Recommended
    Updates
    page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

  • After Kerberos Configuration file is created, manually remove
    pipe character
    

Comments

APAR Information

  • APAR number

    PH01676

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-08-15

  • Closed date

    2018-08-17

  • Last modified date

    2018-10-11

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
17 October 2021