IBM Support

PI92942: MIGRATION CHANGES THE ORDER OF THE LOGIN MODULES IN THE SECURITY.XML FILE.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • During migration from 8.5.5.x to 9.0.0.4 the login modules
    shown in the security.xml  file are in an order that is
    different from the security.xml they were migrated with.  For
    example:
    security.xml file for 8.5.5.12:
    ------------------
    <entries xmi:id="JAASConfigurationEntry_1" alias="DEFAULT">
          <loginModules xmi:id="JAASLoginModule_1"
    moduleClassName="com.ibm.ws.security.common.auth.module.proxy.WS
    LoginMod
    uleProxy" authenticationStrategy="REQUIRED">
          </loginModules>
       <loginModules xmi:id="JAASLoginModule_2"
    moduleClassName="com.ibm.ws.security.common.auth.module.proxy.WS
    LoginMod
    uleProxy" authenticationStrategy="REQUIRED">
       <loginModules xmi:id="JAASLoginModule_3"
    moduleClassName="com.ibm.ws.security.common.auth.module.proxy.WS
    LoginMod
    uleProxy3" authenticationStrategy="REQUIRED">
    </loginModules
    -------------------------
    9.0.0.4 security.xml after migration
    <entries xmi:id="JAASConfigurationEntry_1" alias="DEFAULT">
          <loginModules xmi:id="JAASLoginModule_2"
    moduleClassName="com.ibm.ws.security.common.auth.module.proxy.WS
    LoginMod
    uleProxy" authenticationStrategy="REQUIRED">
          </loginModules>
       <loginModules xmi:id="JAASLoginModule_3"
    moduleClassName="com.ibm.ws.security.common.auth.module.proxy.WS
    LoginMod
    uleProxy" authenticationStrategy="REQUIRED">
       <loginModules xmi:id="JAASLoginModule_1"
    moduleClassName="com.ibm.ws.security.common.auth.module.proxy.WS
    LoginMod
    uleProxy3" authenticationStrategy="REQUIRED">
    </loginModules
    
     </entries>
    

Local fix

  • Manually set the order of the login modules to match the order
    that is in the old security.xml file.
    1) Go to the admin console
    2) Click Security > Global security > Java Authentication and
    Authorization Service > System logins.
    3) Select the name of the system login that needs to be
    re-orderd
    4) Re-order the login modules to match the order of the login
    modules found in their previous security.xml file.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    *                  Configuration Migration Toolkit             *
    ****************************************************************
    * PROBLEM DESCRIPTION: Login to admin console fails after      *
    *                      migration. Order of login modules has   *
    *                      changed, or modules are missing from    *
    *                      security.xml.                           *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    The symptoms depend on the specific configuration, but can
    include:
    login modules are not in the correct order; login modules are in
    an
    order different from what the trace suggests the order should
    be;
    login modules with the same moduleClassName attribute as another
    in
    the same configuration entry are missing, or
    IndexOutOfBoundsException during WASPostUpgrade while trying to
    reorder login modules.
    These problems all occur because the algorithm for comparing
    login
    modules only considers moduleClassName when merging or
    rearranging
    the entries. Thus, it is possible for unintended side effects to
    occur based on that incomplete information.
    

Problem conclusion

  • Migration was adjusted to overwrite all login modules in
    security.xml with the configuration from the old environment,
    preserving login modules new to the version of WebSphere being
    migrated to. This eliminates the need to compare modules, or res
    their ordering after merging configuration.
    
    The fix for this APAR is currently targeted for inclusion in fix
    pack 8.5.5.14 and 9.0.0.7.  Please refer to the Recommended Upda
    page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI92942

  • Reported component name

    WEBSPHERE FOR Z

  • Reported component ID

    5655I3500

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-01-25

  • Closed date

    2018-02-05

  • Last modified date

    2018-02-05

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE FOR Z

  • Fixed component ID

    5655I3500

Applicable component levels

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
19 October 2021