IBM Support

PI95381: OAUTH 2.0 CONFIGURED IN A SECURITY DOMAIN MAY FAIL TO INITIALIZE

Fixes are available

9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
WebSphere Application Server traditional 9.0.5.6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
9.0.5.9: WebSphere Application Server traditional Version 9.0.5.9
9.0.5.10: WebSphere Application Server traditional Version 9.0.5.10
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
9.0.5.11: WebSphere Application Server traditional Version 9.0.5.11

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When configuring OAuth 2.0 to be used as a Security Domain
(instead of globally), it may not see this configuration and
the authentication may not work.

Local fix

  • Ø
You may be able to use the Security Domain OAuth2.0
configuration by doing the following (assuming your security
domain is set up with all of the required settings for OAuth2.0)

1. Navigate to Security > Global Security >
   Web and SIP security > Trust Association
2. Check off the box for "Enable trust association"
3. Press Apply
4. Click on Interceptors
5. Add the TAI class as you would normally do by clicking New
and add the class name for OAuth2.0, BUT do not add any other
parameters that you would normally add.
  Example class name: com.ibm.ws.security.oauth20.tai.OAuthTAI
6. Save the changes and restart the appserver.

Problem summary

  • ****************************************************************
* USERS AFFECTED:  IBM WebSphere Application Server users of   *
*                  OAuth20.                                    *
****************************************************************
* PROBLEM DESCRIPTION: The OAuth 2.0 TAI will not accept       *
*                      requests if it is configured in a       *
*                      security domain but not in global       *
*                      security.                               *
****************************************************************
* RECOMMENDATION:  Install a fix pack that contains this       *
*                  APAR.                                       *
****************************************************************
When the OAuth 2.0 Trust Association Interceptor (TAI),
com.ibm.ws.security.oauth20.tai.OAuthTAI, is configured in one
or more security domains, but not in global security, the
TAI will not initialize and will not accept requests.
The OAuth 2.0 TAI checks to see if it is configured before
reading in file-based configuration.  The method used to
do this only checks global security.  Therefore if the TAI
is configured in one or more security domains, but not in
global security, the TAI does initialize and does not accept
requests.

Problem conclusion

  • The OAuth 2.0 TAI is updated so that it checks for
configuration in any security domain before reading in the
file-based configureation.

The fix for this APAR is currently targeted for inclusion in
fix pack 8.5.5.14 and 9.0.0.8.  Please refer to the Recommended
Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PI95381
    • 

  • Reported component name
    WEBS APP SERV N
    • 

  • Reported component ID
    5724H8800
    • 

  • Reported release
    850
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2018-03-19
    • 

  • Closed date
    2018-04-15
    • 

  • Last modified date
    2018-04-15
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBS APP SERV N
    • 

  • Fixed component ID
    5724H8800
    • 



Applicable component levels


    

  • R850  PSY
       UP
    • 

  • R900  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            03 May 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback