IBM Support

PI81602: Issues with updating SAF password when using Firefox or Chrome.

Fixes are available

8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
9.0.0.5: WebSphere Application Server traditional V9.0 Fix Pack 5
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
WebSphere Application Server traditional 9.0.5.6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
9.0.5.9: WebSphere Application Server traditional Version 9.0.5.9
9.0.5.10: WebSphere Application Server traditional Version 9.0.5.10
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
9.0.5.11: WebSphere Application Server traditional Version 9.0.5.11

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The AuthSAFExpiration and AuthSAFReEnter directives allow a
    user to change their password using basic authentication.  This
    isn't as expected with Chrome and Firefox.
    
    In testing with Chrome, the browser no longer displays the
    realm in the basic authentication prompt. This means that users
    will not be notified that their password has expired when using
    Chrome.
    
    With Firefox, the browser can send multiple requests with the
    old password filling up the access logs with 401 responds and
    error logs with these messages:
    AH01617: user <userid>: authentication failure for "<request>":
    Password Mismatch
    
    When a user provides credentials for basic authentication,
    Firefox will cache the credentials and provide them
    automatically for authentication requests with the same realm.
    This has been found to cause issues where Firefox will
    repeatedly respond to 401 responses with the cached credentials
    until Firefox finally gives up.
    
    This issue is particularly likely to happen when a user is
    prompted to update their password since we modify the realm to
    notify the user that their password has expired. A user will
    provide their initial credentials (which Firefox caches for the
    default realm) and be informed by mod_authnz_saf to update
    their password via the modified realm. An incorrect password
    being entered here will cause Firefox to cache the invalid
    credentials for the expired realm which then leads to the
    scenario where Firefox keeps trying to authenticate with the
    server with the cached credentials.
    
    For example:
    1. User types valid but expired password and Firefox caches it
    for default realm.
    2. User is prompted to update password but provides invalid
    password.  Firefox caches invalid password for expired realm.
    3. mod_authnz_saf responds to invalid password by asking user
    to authenticate again, Firefox responds with valid but expired
    credentials.
    4. mod_authnz_saf responds to valid but expired credentials by
    asking for password update, Firefox responds with invalid
    password
    5. The cycle repeats until Firefox eventually gives up trying
    to authenticate the user and clears the cached credentials.
    

Local fix

  • To disable password update via basic authentication, remove or
    comment out these directives from the httpd configuration:
    
    # Remove these lines from the configuration
    AuthSAFExpiration custom-text
    AuthSAFReEnter custom-text
    
    To inform users that their SAF password has expired, create an
    error page (ie /error/saf_expired.html) and redirect to this
    error page using the AuthSAFExpiredRedirect directive. The user
    can then update their password through an alternative way (ie
    TSO)
    
    # Redirect to an error page upon password expiration.
    AuthSAFExpiredRedirect /error/saf_expired.html
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Users of IBM HTTP Server (powered by        *
    *                  Apache)                                     *
    *                  mod_authnz_saf on z/OS.                     *
    ****************************************************************
    * PROBLEM DESCRIPTION: Issues with updating SAF password via   *
    *                      AuthSAFExpiredRedirect when using       *
    *                      Firefox or Chrome.                      *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Users may have trouble updating their SAF password via basic
    authentication (provided by AuthSAFExpiredRedirect) when using
    either Firefox or Chrome.
    When using Chrome, users may not be notified when their
    password
    has expired as Chrome no longer displays the realm in the basic
    authentication prompt (as of Chrome 49). Without the expired
    password hint, unsuspecting users may keep getting prompted for
    their credentials even if they provided valid credentials as
    mod_autnhz_saf wants them to change their password.
    Firefox has a different issue where it may send several
    authentication requests to the server resulting in an increase
    in
    CPU usage. The issue is known to happen if a user provides an
    incorrect password when mod_authnz_saf requested the user to
    update their password. This issue is attributed to how Firefox
    responds to basic authentication requests with cached
    credentials.
    These issues (and solutions) are described further here:
    http://publib.boulder.ibm.com/httpserv/ihsdiag/saf_expired_passw
    ord.html
    

Problem conclusion

  • A password update handler 'saf-change-pw' is now included in
    mod_authnz_saf that allows users to change their password with a
    form. The saf-change-pw handler includes a default form so users
    do not have to provide their own.
    
    To enable the form-based password update handler, please follow
    the directions on this page:
    http://publib.boulder.ibm.com/httpserv/ihsdiag/saf_expired_passw
    ord.html#form-saf-pw-update
    
    This fix is targeted for IBM HTTP Server fix packs:
     - 7.0.0.45
     - 8.0.0.14
     - 8.5.5.12
     - 9.0.0.5
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI81602

  • Reported component name

    WAS IHS ZOS

  • Reported component ID

    5655I3510

  • Reported release

    90P

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-05-15

  • Closed date

    2017-06-14

  • Last modified date

    2018-02-05

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WAS IHS ZOS

  • Fixed component ID

    5655I3510

Applicable component levels

  • R700 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"90P","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
03 May 2022