Fixes are available
APAR status
Closed as program error.
Error description
The API buildSpnegoAuthorizationFromCallerSubject() in SpnegoTokenHelper fails intermittently due to the lack of KRBAuthnToken in the Subject. -- Sample error stack ---- Caused by: org.ietf.jgss.GSSException, major code: 13, minor code: 0 major string: Invalid credentials minor string: None at com.ibm.wsspi.security.token.SpnegoTokenHelper.buildSpnegoAuthor ization(SpnegoTokenHelper.java:556) at com.ibm.wsspi.security.token.SpnegoTokenHelper.access$400(Spnego TokenHelper.java:60) at com.ibm.wsspi.security.token.SpnegoTokenHelper$3.run(SpnegoToken Helper.java:302) at java.security.AccessController.doPrivileged(AccessController.jav a:703) at com.ibm.wsspi.security.token.SpnegoTokenHelper.buildSpnegoAuthor izationFromSubject(SpnegoTokenHelper.java:289)
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server who propagates KRBAuthnToken * * outbound. * **************************************************************** * PROBLEM DESCRIPTION: SpnegoTokenHeper APIs fails * * intermittently due to the lack of * * KRBAuthnToken in the subject. * **************************************************************** * RECOMMENDATION: * **************************************************************** When an initial Spnego Single Sign-On happens, WebSphere authenticates incoming SPNEGO token and creates a Subject for the user. This Subject contains KRBAuthnToken. After the authentication, WebSphere creates LtpaToken, then save the Subject in its internal Subject cache using the LtpaToken as a key, WebSphere sends back the LtpaToken back in the http response. This LtpaToken is subsequently used for authentication between browser and the WebSphere server. When the cached Subject is timed out, WebSphere needs to reconstruct the Subject using the incoming LtpaToken only. Since LtpaToken does not have Kerberos information, reconstructed Subject does not contain KRBAuthnToken. This is working as designed. The user is required to re-authenticate using SPNEGO token. Most of the time a new SPNEGO token comes in before the Subject goes away. Depending on cache and token timeout combination, there could be a small time window that LtpaToken comes in early and Spnego token reauthentication happens a little later. During this small window, SpnegoTokenHelper would fail as the Subject is reconstructed by LtpaToken and lacks KRBAuthnToken.
Problem conclusion
An option is introduced to look for KRBAuthnToken from a private cache that contains the KRBAuthnToken. By default, this cache only looked up when kerberos authentication is configured. However, following custom property will make WebSphere look for KRBAuthnToken in the cache even when Kerberos authentication is not enabled. custom property: com.ibm.websphere.security.setKrbAuthnToken.if.cacheHit value: true (default is false) Notes: 1. The outcome of this custom property will be different depending on the ltpaToken timeout and kerberos ticket timeout. 2. As this option changes the content of Subject, it is possible that loginModules or TrustAssociation that use Kerberos token can behave differently. Before turning on the property, make sure other components are not affected. The fix for this APAR is targeted for inclusion in fix pack 8.5.5.17 and 9.0.5.3 . For more information, see 'Recommended Updates for WebSphere Application Server': http://www.ibm.com/support/docview.wss? rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH20055
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-12-08
Closed date
2020-01-07
Last modified date
2020-01-07
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
01 November 2021