IBM Support

PK97997: CWSIT0110E BUS LINK EXCEPTION WHEN SECURITY ATTRIBUTE PROPAGATION IS DISABLED

Fixes are available

7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for IBM i
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for Windows
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for AIX
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for HP-UX
7.0.0.9: Java SDK 1.6 SR7 Cumulative Fix for WebSphere Application Server
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for Solaris
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for Linux
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for IBM i
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Windows
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for HP-UX
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for AIX
7.0.0.11: Java SDK 1.6 SR7 Cumulative Fix for WebSphere Application Server
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Solaris
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Linux
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for AIX
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for HP-UX
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for IBM i
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Linux
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Solaris
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Windows
7.0.0.13: Java SDK 1.6 SR8FP1 Cumulative Fix for WebSphere Application Server
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for AIX
7.0.0.15: Java SDK 1.6 SR9 Cumulative Fix for WebSphere Application Server
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for HP-UX
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for IBM i
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Linux
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Solaris
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Windows
7.0.0.17: WebSphere Application Server V7.0 Fix Pack 17
7.0.0.17: Java SDK 1.6 SR9 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.19: WebSphere Application Server V7.0 Fix Pack 19
7.0.0.21: WebSphere Application Server V7.0 Fix Pack 21
7.0.0.23: WebSphere Application Server V7.0 Fix Pack 23
7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
7.0.0.19: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.21: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere
7.0.0.23: Java SDK 1.6 SR10 FP1 Cumulative Fix for WebSphere
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • In WAS 7 (not WAS 6.0/6.1) the customer gets a CWSIT0110E Bus
    Link exception when a security check between buses is performed.
    This prevents messaging between buses. This only happens when
    Security Attribute Propagation is disabled. The workaround is to
    enable SAP.
    
    The error is as follows:
    CWSIT0110E: The security token provided by messaging engine
    ClusterName.000-BusName in bus BusName failed authentication.
    

Local fix

  • Introduce the ability to return to the WebSphere Application
    Server Version 6.1 behaviour -
    using inter-engine authentication aliases.
    At a code level:
    On the server side, it seems like SIB code invokes
    createTokenHolderList from OpaqueToken to deserialize incoming
    token, but this token doesn't contain an LTPAToken, but just a
    hash table. SIB code then invokes validateLTPAToken method with
    this hashtable object, but the validation failed.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Users of the default messaging provider for *
    *                  IBM WebSphere Application Server Version 7.0*
    ****************************************************************
    * PROBLEM DESCRIPTION: CWSIT0110E errors logged in a bus       *
    *                      with multiple messaging engines, in a   *
    *                      cell with Security Attribute            *
    *                      Propagation disabled                    *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Security Attribute Propagation (SAP) is a security feature,
    enabled as part of single sign-on (SSO). It is enabled by
    default, but can be manually disabled.
    
    If SAP is disabled in WebSphere Application Server
    Version 7.0, the connections created automatically between
    messaging engines in a secure bus cannot be established,
    and fail with CWSIT0110E errors.
    
    The failures occur due to enhancements in the authentication
    mechanism used between messaging engines in a bus in
    WebSphere Application Server Version 7.0, which depend on
    features of the application server that are only available
    when Security Attribute Propagation is enabled.
    

Problem conclusion

  • The fix for this APAR introduces a new Service Integration Bus
    custom property, that causes the bus to revert to the
    Version 6.1 and earlier mechanism for authentication between
    messaging engines in a bus.
    
    Users should consider enabling Security Attribute Propagation
    in preference to enabling the custom property provided in this
    APAR fix. In WebSphere Application Server Version 7.0 it is
    very rare for Security Attribute Propagation to introduce any
    performance overhead that would outweigh the Version 7.0
    improvements in the messaging engine authentication mechanism.
    
    The custom property is created for each bus, through the
    following panel in the administrative console:
    Service Integration -> Buses -> <BUSNAME> -> Custom properties
    Create a new custom property as follows:
    Name=authentication.intrabus.mode
    Value=authalias
    
    To successfully enable the Version 6.1 and earlier mechanism
    of messaging engine authentication within a bus, it is
    necessary to also specify a valid inter-engine authentication
    alias via the following panel:
    Service Integration -> Buses -> <BUSNAME> -> Security ->
    Inter-engine authentication alias
    
    If the custom property, and an inter-engine authentication
    alias, are successfully enabled each messaging engine logs the
    following entry when starting a connection to another
    messaging engine in the bus:
    CWSIU0001I: The runtime property authentication.intrabus.mode
    (Bus=BUSNAME) has been changed to value authalias.
    
    However, if the custom property is specified without an
    authentication alias, the CWSIT0110E error will continue to
    occur and the following error will also be displayed:
    CWSIT0073W: No intra-bus messaging engine authentication alias
    is configured.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 7.0.0.9.  Please refer to the Recommended Updates
    page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PK97997

  • Reported component name

    PLAT MSG COM

  • Reported component ID

    620800101

  • Reported release

    300

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2009-10-06

  • Closed date

    2009-11-26

  • Last modified date

    2010-02-15

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    PLAT MSG COM

  • Fixed component ID

    620800101

Applicable component levels

  • R300 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
24 October 2021