IBM Support

PI95381: OAUTH 2.0 CONFIGURED IN A SECURITY DOMAIN MAY FAIL TO INITIALIZE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When configuring OAuth 2.0 to be used as a Security Domain
    (instead of globally), it may not see this configuration and
    the authentication may not work.
    

Local fix

  • Ø
    You may be able to use the Security Domain OAuth2.0
    configuration by doing the following (assuming your security
    domain is set up with all of the required settings for OAuth2.0)
    
    1. Navigate to Security > Global Security >
       Web and SIP security > Trust Association
    2. Check off the box for "Enable trust association"
    3. Press Apply
    4. Click on Interceptors
    5. Add the TAI class as you would normally do by clicking New
    and add the class name for OAuth2.0, BUT do not add any other
    parameters that you would normally add.
      Example class name: com.ibm.ws.security.oauth20.tai.OAuthTAI
    6. Save the changes and restart the appserver.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  OAuth20.                                    *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OAuth 2.0 TAI will not accept       *
    *                      requests if it is configured in a       *
    *                      security domain but not in global       *
    *                      security.                               *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    When the OAuth 2.0 Trust Association Interceptor (TAI),
    com.ibm.ws.security.oauth20.tai.OAuthTAI, is configured in one
    or more security domains, but not in global security, the
    TAI will not initialize and will not accept requests.
    The OAuth 2.0 TAI checks to see if it is configured before
    reading in file-based configuration.  The method used to
    do this only checks global security.  Therefore if the TAI
    is configured in one or more security domains, but not in
    global security, the TAI does initialize and does not accept
    requests.
    

Problem conclusion

  • The OAuth 2.0 TAI is updated so that it checks for
    configuration in any security domain before reading in the
    file-based configureation.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.5.14 and 9.0.0.8.  Please refer to the Recommended
    Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI95381

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-03-19

  • Closed date

    2018-04-15

  • Last modified date

    2018-04-15

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
18 October 2021