IBM Support

PH16741: CLIENT CERTIFICATE AUTHENTICATION NOT FINDING PREVIOUSLY LOGGED IN SUBJECT

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Application is configured with client certificate
    authentication, and the clients personal certificate is sent on
    every request.  A user that had logged in succesfully may not be
    found on a subsequent request.
    
    
    The error can surface in various ways, however a role violation
    is one example.
    
    +BBOO0222I: SECJ0129E: Authorization failed for user USER:REALM
    while invoking POST on default_host:/Application/URL,
    Authorization  failed, Not granted any of the required roles:
    APP.ROLE.NAME
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server V8.5  and V9.0                       *
    ****************************************************************
    * PROBLEM DESCRIPTION: Certificate logins do not               *
    *                      successfully cache Subjects in          *
    *                      AuthCache.                              *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Clients using Certificate Authentication results in full
    logins on each request. The Subjects created were not properly
    cached. This results in poor performance.
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    PH16741

  • Reported component name

    WEBSPHERE FOR Z

  • Reported component ID

    5655I3500

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-09-12

  • Closed date

    2019-11-11

  • Last modified date

    2019-11-11

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE FOR Z

  • Fixed component ID

    5655I3500

Applicable component levels

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
15 October 2021