PI83890: MIGRATION IS NOT HANDLING SPNEGO SECURITY SETTINGS CORRECTLY

Fixes are available

APAR status

Closed as program error.

Error description

After Deployment Migration (DMGR) runs, there is a  IBM version
of SPNEGO TAI under Global Security created where one had not
been before.  See
com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl

Also, SPNEGO  is disabled and drops all the host name entries
except 1.    What had existed was WEB Authenticator was
enabled, and expected to stay that way after DMGR migration has
been done.

Local fix

After DMGR migration runs, manual edits can be done by
redefining the SPNEGO Web Authenticator settings.  Also one can
delete the IBM version of SPNEGO TAI under Global Security
   com.ibm.ws.security spnego TrustAssociationInterceptorImpl

Problem summary

****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server V8.5 Migration Tooling               *
****************************************************************
* PROBLEM DESCRIPTION: SPNEGO settings are not being migrated  *
*                      properly. The default SPNEGO Trust      *
*                      Association Interceptor is being        *
*                      re-inserted into new profile.  Also     *
*                      only one filter is being migrated.      *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Profile Templates are inserting the default SPNEGO setting
back into the migrated profile.   Also multiple filters are
being collapsed into one.

Problem conclusion

If the Trust Association Interceptors have been removed or
replaced in the old profile, cleanup those Interceptors from
the new profile - they will have been inserted by profile
creation.  For the filters, correct the test for equality to
more than one field - thus preventing subsequant filters from
being ignored during migration.

The fix for this APAR is currently targeted for inclusion in
fix pack 9.0.0.5 and 8.5.5.13.  Please refer to the Recommended
Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PI83890
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-06-30
Closed date
2017-09-11
Last modified date
2017-09-11

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500

Applicable component levels

R850 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
04 May 2022

Tips

PI83890: MIGRATION IS NOT HANDLING SPNEGO SECURITY SETTINGS CORRECTLY

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R850 PSY

Document Information

Share your feedback

Need support?