PK97997: CWSIT0110E BUS LINK EXCEPTION WHEN SECURITY ATTRIBUTE PROPAGATION IS DISABLED

Fixes are available

APAR status

Closed as program error.

Error description

In WAS 7 (not WAS 6.0/6.1) the customer gets a CWSIT0110E Bus
Link exception when a security check between buses is performed.
This prevents messaging between buses. This only happens when
Security Attribute Propagation is disabled. The workaround is to
enable SAP.

The error is as follows:
CWSIT0110E: The security token provided by messaging engine
ClusterName.000-BusName in bus BusName failed authentication.

Local fix

Introduce the ability to return to the WebSphere Application
Server Version 6.1 behaviour -
using inter-engine authentication aliases.
At a code level:
On the server side, it seems like SIB code invokes
createTokenHolderList from OpaqueToken to deserialize incoming
token, but this token doesn't contain an LTPAToken, but just a
hash table. SIB code then invokes validateLTPAToken method with
this hashtable object, but the validation failed.

Problem summary

****************************************************************
* USERS AFFECTED:  Users of the default messaging provider for *
*                  IBM WebSphere Application Server Version 7.0*
****************************************************************
* PROBLEM DESCRIPTION: CWSIT0110E errors logged in a bus       *
*                      with multiple messaging engines, in a   *
*                      cell with Security Attribute            *
*                      Propagation disabled                    *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Security Attribute Propagation (SAP) is a security feature,
enabled as part of single sign-on (SSO). It is enabled by
default, but can be manually disabled.

If SAP is disabled in WebSphere Application Server
Version 7.0, the connections created automatically between
messaging engines in a secure bus cannot be established,
and fail with CWSIT0110E errors.

The failures occur due to enhancements in the authentication
mechanism used between messaging engines in a bus in
WebSphere Application Server Version 7.0, which depend on
features of the application server that are only available
when Security Attribute Propagation is enabled.

Problem conclusion

The fix for this APAR introduces a new Service Integration Bus
custom property, that causes the bus to revert to the
Version 6.1 and earlier mechanism for authentication between
messaging engines in a bus.

Users should consider enabling Security Attribute Propagation
in preference to enabling the custom property provided in this
APAR fix. In WebSphere Application Server Version 7.0 it is
very rare for Security Attribute Propagation to introduce any
performance overhead that would outweigh the Version 7.0
improvements in the messaging engine authentication mechanism.

The custom property is created for each bus, through the
following panel in the administrative console:
Service Integration -> Buses -> <BUSNAME> -> Custom properties
Create a new custom property as follows:
Name=authentication.intrabus.mode
Value=authalias

To successfully enable the Version 6.1 and earlier mechanism
of messaging engine authentication within a bus, it is
necessary to also specify a valid inter-engine authentication
alias via the following panel:
Service Integration -> Buses -> <BUSNAME> -> Security ->
Inter-engine authentication alias

If the custom property, and an inter-engine authentication
alias, are successfully enabled each messaging engine logs the
following entry when starting a connection to another
messaging engine in the bus:
CWSIU0001I: The runtime property authentication.intrabus.mode
(Bus=BUSNAME) has been changed to value authalias.

However, if the custom property is specified without an
authentication alias, the CWSIT0110E error will continue to
occur and the following error will also be displayed:
CWSIT0073W: No intra-bus messaging engine authentication alias
is configured.

The fix for this APAR is currently targeted for inclusion in
fix pack 7.0.0.9.  Please refer to the Recommended Updates
page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PK97997
Reported component name
PLAT MSG COM
Reported component ID
620800101
Reported release
300
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-10-06
Closed date
2009-11-26
Last modified date
2010-02-15

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
PLAT MSG COM
Fixed component ID
620800101

Applicable component levels

R300 PSY
UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
24 October 2021

Tips

PK97997: CWSIT0110E BUS LINK EXCEPTION WHEN SECURITY ATTRIBUTE PROPAGATION IS DISABLED

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R300 PSY

Document Information

Share your feedback

Need support?