APAR status
Closed as new function.
Error description
A JAX-WS web service client request may not be sent to the provider when base security is enabled and there are issues with the security context that prevent the security context from being serialized. A error like the following may be seen in the logs: ====================== SECJ5010E: Could not create default AuthenticationToken during propagation login. The following exception occurred: com.ibm.websphere.security.auth.WSLoginFailedException: Validation of LTPA token failed due to invalid keys or token type. at com.ibm.ws.security.ltpa.LTPAServerObject.validateToken(LTPAServ erObject.java:1187) ... at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:3 65) at com.ibm.ws.websvcs.utils.SecurityContextMigrator$5.run(SecurityC ontextMigrator.java:375) at java.security.AccessController.doPrivileged(AccessController.jav a:734) at com.ibm.ws.websvcs.utils.SecurityContextMigrator.migrateThreadTo Context(SecurityContextMigrator.java:372) at org.apache.axis2.util.ThreadContextMigratorUtil.performMigration ToContext(ThreadContextMigratorUtil.java:162) ... at org.apache.axis2.jaxws.client.proxy.JAXWSProxyHandler.invoke(JAX WSProxyHandler.java:213) =============================================
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * * and JAX-WS web services * **************************************************************** * PROBLEM DESCRIPTION: When base security is enabled, a JAX-WS * * client may not send a request to the * * provider due to security context * * serialization. * **************************************************************** * RECOMMENDATION: Install a fix pack that contains this * * APAR. * **************************************************************** A JAX-WS web service client request may not be sent to the provider when base security is enabled and there are issues with the security context that prevent it from being serialized.
Problem conclusion
On an application server, when a JAX-WS client makes a service call, if base security is enabled, the WebSphere security context is serialized to the web services message context. This is done because there are down stream handlers that may need to serialize the entire message context (WS-Reliable Messaging for example). This serialization may cause core security to return errors for various reasons, for example: non-serializable objects are in the security context, or an LTPA token cannot be verified. APAR PI07385 introduced a JAX-WS client property called com.ibm.websvcs.client.serializeSecurityContext. This property is set on the BindingProvider and it is used to direct serialization of the security context in the com.ibm.ws.websvcs.utils.SecurityContextMigrator class. The com.ibm.websvcs.client.serializeSecurityContext JAX-WS client property is extended to be a JVM system property. If you do not want the com.ibm.websvcs.client.serializeSecurityContext to serialize the security context, set this property to false. The default is true. The value for this property in the JVM will be the default setting. If this property is set on the BindingProvider, it will override the JVM setting. When com.ibm.websvcs.client.serializeSecurityContext is set to false, the Security context will not be serialized onto the MessageContext. A reference to the active context will be used instead. This will cause problems if you are making an asynch service call or using a Reliable Messaging policy. The WS-Reliable Messaging qualities of service managed persistent and managed non-persistent require that the request, including the SecurityContext, is serializable to persistent storage. Therefore if WS-Reliable messaging is also configured on such a request with either managed persistent or managed non-persistent qualities of service the request will not be sent and you'll receive a message like: CWSKA0112E: There is a conflict between the WS-ReliableMessaging quality of service managedPersistent and the BindingProvider property com.ibm.websvcs.client.serializeSecurityContext having the value false. The fix for this APAR is targeted for inclusion in fix pack 8.5.5.19 and 9.0.5.6. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH29156
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-09-03
Closed date
2020-09-18
Last modified date
2020-09-18
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
02 November 2021