Fixes are available
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
9.0.0.5: WebSphere Application Server traditional V9.0 Fix Pack 5
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
WebSphere Application Server traditional 9.0.5.6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
9.0.5.9: WebSphere Application Server traditional Version 9.0.5.9
9.0.5.10: WebSphere Application Server traditional Version 9.0.5.10
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
9.0.5.11: WebSphere Application Server traditional Version 9.0.5.11
APAR status
Closed as program error.
Error description
The AuthSAFExpiration and AuthSAFReEnter directives allow a user to change their password using basic authentication. This isn't as expected with Chrome and Firefox. In testing with Chrome, the browser no longer displays the realm in the basic authentication prompt. This means that users will not be notified that their password has expired when using Chrome. With Firefox, the browser can send multiple requests with the old password filling up the access logs with 401 responds and error logs with these messages: AH01617: user <userid>: authentication failure for "<request>": Password Mismatch When a user provides credentials for basic authentication, Firefox will cache the credentials and provide them automatically for authentication requests with the same realm. This has been found to cause issues where Firefox will repeatedly respond to 401 responses with the cached credentials until Firefox finally gives up. This issue is particularly likely to happen when a user is prompted to update their password since we modify the realm to notify the user that their password has expired. A user will provide their initial credentials (which Firefox caches for the default realm) and be informed by mod_authnz_saf to update their password via the modified realm. An incorrect password being entered here will cause Firefox to cache the invalid credentials for the expired realm which then leads to the scenario where Firefox keeps trying to authenticate with the server with the cached credentials. For example: 1. User types valid but expired password and Firefox caches it for default realm. 2. User is prompted to update password but provides invalid password. Firefox caches invalid password for expired realm. 3. mod_authnz_saf responds to invalid password by asking user to authenticate again, Firefox responds with valid but expired credentials. 4. mod_authnz_saf responds to valid but expired credentials by asking for password update, Firefox responds with invalid password 5. The cycle repeats until Firefox eventually gives up trying to authenticate the user and clears the cached credentials.
Local fix
To disable password update via basic authentication, remove or comment out these directives from the httpd configuration: # Remove these lines from the configuration AuthSAFExpiration custom-text AuthSAFReEnter custom-text To inform users that their SAF password has expired, create an error page (ie /error/saf_expired.html) and redirect to this error page using the AuthSAFExpiredRedirect directive. The user can then update their password through an alternative way (ie TSO) # Redirect to an error page upon password expiration. AuthSAFExpiredRedirect /error/saf_expired.html
Problem summary
**************************************************************** * USERS AFFECTED: Users of IBM HTTP Server (powered by * * Apache) * * mod_authnz_saf on z/OS. * **************************************************************** * PROBLEM DESCRIPTION: Issues with updating SAF password via * * AuthSAFExpiredRedirect when using * * Firefox or Chrome. * **************************************************************** * RECOMMENDATION: * **************************************************************** Users may have trouble updating their SAF password via basic authentication (provided by AuthSAFExpiredRedirect) when using either Firefox or Chrome. When using Chrome, users may not be notified when their password has expired as Chrome no longer displays the realm in the basic authentication prompt (as of Chrome 49). Without the expired password hint, unsuspecting users may keep getting prompted for their credentials even if they provided valid credentials as mod_autnhz_saf wants them to change their password. Firefox has a different issue where it may send several authentication requests to the server resulting in an increase in CPU usage. The issue is known to happen if a user provides an incorrect password when mod_authnz_saf requested the user to update their password. This issue is attributed to how Firefox responds to basic authentication requests with cached credentials. These issues (and solutions) are described further here: http://publib.boulder.ibm.com/httpserv/ihsdiag/saf_expired_passw ord.html
Problem conclusion
A password update handler 'saf-change-pw' is now included in mod_authnz_saf that allows users to change their password with a form. The saf-change-pw handler includes a default form so users do not have to provide their own. To enable the form-based password update handler, please follow the directions on this page: http://publib.boulder.ibm.com/httpserv/ihsdiag/saf_expired_passw ord.html#form-saf-pw-update This fix is targeted for IBM HTTP Server fix packs: - 7.0.0.45 - 8.0.0.14 - 8.5.5.12 - 9.0.0.5
Temporary fix
Comments
APAR Information
APAR number
PI81602
Reported component name
WAS IHS ZOS
Reported component ID
5655I3510
Reported release
90P
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-05-15
Closed date
2017-06-14
Last modified date
2018-02-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WAS IHS ZOS
Fixed component ID
5655I3510
Applicable component levels
R700 PSY
UP
Document Information
Modified date:
03 May 2022