IBM Support

PH31682: OIDC RP MAY NOT LOAD CONFIG FROM A NON-DEFAULT SECURITY DOMAIN

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • The OpenID Connect TAI may not load the correct configuration
    when running on an application server that uses a Security
    Domain that is not the default.  The TAI configuration from
    the default Security Domain may be used instead.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  OpenId Connect and MSD                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OIDC TAI always loads the TAI       *
    *                      configuration from the default Security *
    *                      Domain.                                 *
    ****************************************************************
    * RECOMMENDATION:  Install a interim fix or fix pack that      *
    *                  contains                                    *
    *                  this APAR.                                  *
    ****************************************************************
    When the OpenID Connect (OIDC) Trust Association Interceptor
    (TAI)
    is running on a server that is using a Security Domain that is
    not
    the default Security Domain, the OIDC TAI may use the TAI
    configuration for the default Security Domain instead of the
    configured Security Domain.
    

Problem conclusion

  • When an application server starts, the trust association
    interceptors for the default Security Domain initialize.
    When
    the
    first request is received, if the server is in a different
    Security Domain, the TAIs will be initialized again using
    the
    settings from that Security Domain.
    
    When core security attempts to re-initialize the OIDC TAI
    using
    the new properties from the second Security Domain, they may
    not
    override all the properties from those set from the default
    Security Domain.
    
    The OIDC TAI is updated so that it will fully re-initialize
    when
    its initialize method is called the second time.
    
    The fix for this APAR is targeted for inclusion in fix pack
    8.5.5.20 and 9.0.5.7. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH31682

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-11-13

  • Closed date

    2020-12-07

  • Last modified date

    2020-12-07

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850"}]

Document Information

Modified date:
08 December 2020