IBM Support

PI85702: SAFRUNAS %%CERTIF%% ASKS FOR BASIC AUTH CREDENTIALS

Fixes are available

9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
WebSphere Application Server traditional 9.0.5.6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
9.0.5.9: WebSphere Application Server traditional Version 9.0.5.9
9.0.5.10: WebSphere Application Server traditional Version 9.0.5.10
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
9.0.5.11: WebSphere Application Server traditional Version 9.0.5.11

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • With SAFRunAs %%CERTIF%%, the server runs the request by using
    the ID associated with the SSL client certificate in SAF. If
    there is no SSL certificate, or if the SSL certificate is not
    associated with an ID in SAF, the processing continues as if
    %%CLIENT%% was coded.  But in this case, the server behaves
    like %%CLIENT%% is coded even when the user id is provided by
    the SSL client certificate.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Users of IBM HTTP Server on z/OS with       *
    *                  "SAFRunAs %%CERTIF%%" in httpd.conf         *
    ****************************************************************
    * PROBLEM DESCRIPTION: A user authenticated with aTLS client   *
    *                      certificate may be prompted for HTTP    *
    *                      Basic                                   *
    *                      Auth credentials.                       *
    ****************************************************************
    * RECOMMENDATION:  Apply this fix if using "SAFRunAs           *
    *                  %%CERTIF%%"                                 *
    ****************************************************************
    Under a configuration with "SAFRunAs %%CERTIF%%" and a
    client
    that
    has authenticated with a TLS client certificate may see
    spurious
    HTTP Basic Authentication challenges when indirectly
    accessing
    resources stored in HFS/ZFS.
    Some types of indirect access that trigger this bug are
    requests ending in a trailing slash that depend on
    "DirectoryIndex" choosing the correct file, or Server Side
    Includes (SSI).
    Content in MVS datasets or served by the WAS WebServer Plug-
    in
    is not affected.
    

Problem conclusion

  • The mod_authnz_saf code was updated to detect when the
    server
    is fetching a "subrequest" resource on behalf of "main"
    request
    that had already been authenticated at the connection level
    with
    a TLS client certificate.
    
    The update blocks the mod_auth_basic module from challenging
    the
    user for HTTP Basic Auth credentials.
    
    
    Note: z/OS APAR OA54407 is required when combining
    "SAFRunAs %%CERTIF%%" with SAFAPPLID.
    
    This fix is targeted for IBM HTTP Server fix packs:
    - 9.0.0.6
    - 8.5.5.13
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI85702

  • Reported component name

    WAS IHS ZOS

  • Reported component ID

    5655I3510

  • Reported release

    85P

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-08-09

  • Closed date

    2017-08-10

  • Last modified date

    2017-11-16

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    OA54407

Fix information

  • Fixed component name

    WAS IHS ZOS

  • Fixed component ID

    5655I3510

Applicable component levels

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"85P","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
04 May 2022