IBM Support

PI83890: MIGRATION IS NOT HANDLING SPNEGO SECURITY SETTINGS CORRECTLY

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • After Deployment Migration (DMGR) runs, there is a  IBM version
    of SPNEGO TAI under Global Security created where one had not
    been before.  See
    com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl
    
    Also, SPNEGO  is disabled and drops all the host name entries
    except 1.    What had existed was WEB Authenticator was
    enabled, and expected to stay that way after DMGR migration has
    been done.
    

Local fix

  • After DMGR migration runs, manual edits can be done by
    redefining the SPNEGO Web Authenticator settings.  Also one can
    delete the IBM version of SPNEGO TAI under Global Security
       com.ibm.ws.security spnego TrustAssociationInterceptorImpl
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server V8.5 Migration Tooling               *
    ****************************************************************
    * PROBLEM DESCRIPTION: SPNEGO settings are not being migrated  *
    *                      properly. The default SPNEGO Trust      *
    *                      Association Interceptor is being        *
    *                      re-inserted into new profile.  Also     *
    *                      only one filter is being migrated.      *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Profile Templates are inserting the default SPNEGO setting
    back into the migrated profile.   Also multiple filters are
    being collapsed into one.
    

Problem conclusion

  • If the Trust Association Interceptors have been removed or
    replaced in the old profile, cleanup those Interceptors from
    the new profile - they will have been inserted by profile
    creation.  For the filters, correct the test for equality to
    more than one field - thus preventing subsequant filters from
    being ignored during migration.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 9.0.0.5 and 8.5.5.13.  Please refer to the Recommended
    Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI83890

  • Reported component name

    WEBSPHERE FOR Z

  • Reported component ID

    5655I3500

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-06-30

  • Closed date

    2017-09-11

  • Last modified date

    2017-09-11

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE FOR Z

  • Fixed component ID

    5655I3500

Applicable component levels

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
19 October 2021