Fixes are available
APAR status
Closed as program error.
Error description
When the OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI) initializes, if any provider configuration fails to load correctly, the TAI will not be enabled. If the TAI is configured for multiple providers, and at least one provider successfully passes config validation, the TAI should be enabled. The provider configuration entries in the OIDC TAI config are notated like provider.<id>.*.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server and OpenID Connect * **************************************************************** * PROBLEM DESCRIPTION: The OIDC TAI will not initialize * * successfully if any provider config * * fails * * to load. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains * * this APAR. * **************************************************************** When the OIDC TAI performs initialization, if any provider config fails to load correctly, the TAI will report to the TrustAssociationManager that it has failed initialization. This will result in the TAI being disabled. No requests to the application server will be sent to the OIDC TAI by the TrustAssociationManager.
Problem conclusion
The TAI is updated so that it will only report to the TrustAssociationManager that it has failed initialization if there is a configuration error in the global configuration or if there are no provider configs that have initialized successfully If there is at least one provider config that has initialized successfully and the global configuration is good, the OIDC TAI will report to the TrustAssociationManager that has loaded successfully. When the TrustAssociationManager sends requests to the OIDC TAI, the TAI will only intercept requests for the provider configs that loaded successfully. All the 'bad' configs will be completely ignored. The fix for this APAR is targeted for inclusion in fix pack 8.5.5.18 and 9.0.5.3. For more information, see 'Recommended Updates for WebSphere Application Server': http://www.ibm.com/support/docview.wss? rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH21008
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-01-15
Closed date
2020-01-21
Last modified date
2020-09-23
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
07 December 2021