IBM Support

PH14756: NULLPOINTEREXCEPTION IN CERTIFICATEMAPPER.GETDNSUBFIELD WEBSPHERE SETUP WITH GLOBAL SECURITY LDAP WITH SECURITY DOMAIN

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • WebSphere is setup with the following:
    
    - Global Security using an LDAP user registry
    - LDAP Certificate map mode set to CERTIFICATE_FILTER
    - Security Domain which contains XML for a federated repository
    
    <userRegistries xmi:type="security:WIMUserRegistry"
    xmi:id="WIMUserRegistry_1562623727494"
    realm="defaultWIMFileBasedRealm" ignoreCase="false"
    useRegistryRealm="true" registryClassName="c
    om.ibm.ws.wim.registry.WIMUserRegistry"/>
    
    Note: the federated repository may not be the activeUserRegistry
    
    An inbound web request with mutual authentication will fail with
    a nullpointerexception in method
    CertificateMapper.getDnSubField.
    
    The example stacktrace is:
    
    Trace: 2019/07/07 18:33:44.980 02 t=9AD4B8 c=UNK key=P8 tag=
    (13007004)
       SourceId: com.ibm.ws.security.core.UserMappingImpl
       ExtendedMessage: The following exception occurred in
    UserMappingImpl when calling mapCertificate: ;
    java.lang.NullPointerException
    com.ibm.ws.security.registry.ldap.CertificateMapper.getDnSubFiel
    d(CertificateMapper.java:271)
    com.ibm.ws.security.registry.ldap.CertificateMapper.getFilterByD
    escriptor(CertificateMapper.java:208)
    com.ibm.ws.security.registry.ldap.CertificateMapper.getLdapSearc
    hFilter(CertificateMapper.java:137)
    com.ibm.ws.security.registry.ldap.LdapRegistryImpl.mapCertificat
    e(LdapRegistryImpl.java:573)
    com.ibm.ws.security.registry.UserRegistryImpl.mapCertificate(Use
    rRegistryImpl.java:433)
    com.ibm.ws.security.core.UserMappingImpl.mapCertificateToName(Us
    erMappingImpl.java:120)
    com.ibm.ws.security.zOS.SAFIdentityMapper.mapCertificateUsingCon
    figuredUserMapping(SAFIdentityMapper.java:75)
    com.ibm.ws.security.zOS.SAFIdentityMapper.mapTransportLayerCerti
    ficateToName(SAFIdentityMapper.java:123)
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server V8.5                                 *
    ****************************************************************
    * PROBLEM DESCRIPTION: When using Security Domains it was      *
    *                      noted that Federated Repositories was   *
    *                      used as the User Registry despite       *
    *                      the expectation is to use the Global    *
    *                      Security settings.                      *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When using Security Domains it was
    noted that Federated Repositories was
    used as the User Registry even though
    the expectation is to use the Global
    Security settings. A possible workaround could be removing the
    wim user registry configuration from the domain-security.xml.
    

Problem conclusion

  • The code was review and updated so that the Global Security
    settings are honored when using Security Domains
    
    The fix for this APAR is targeted for inclusion in fix pack
    9.0.5.4 and 8.5.5.18.  For more information, see 'Recommended
    Updates for WebSphere Application Server':
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH14756

  • Reported component name

    WEBSPHERE FOR Z

  • Reported component ID

    5655I3500

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-07-23

  • Closed date

    2020-03-06

  • Last modified date

    2020-03-06

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE FOR Z

  • Fixed component ID

    5655I3500

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCWL8S","label":"General"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
27 March 2020