Fixes are available
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
8.5.5.2: WebSphere Application Server V8.5.5 Fix Pack 2
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
8.5.5.3: WebSphere Application Server V8.5.5 Fix Pack 3
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.5.5.4: WebSphere Application Server V8.5.5 Fix Pack 4
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.5.5.5: WebSphere Application Server V8.5.5 Fix Pack 5
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
Obtain the fix for this APAR.
APAR status
Closed as program error.
Error description
After upgrading to WAS7029 and if a Custom Realm is used, it is noted that the realm value changes from the Custom Realm to the protocol_iiop_daemon_listenIPAddress. It is also noted in authorization errors: com.ibm.websphere.security.auth.WSLoginFailedException: This realm is not the current realm, nor the admin realm, nor a trusted realm: <protocol_iiop_daemon_listenIPAddress value> com.ibm.websphere.security.auth.WSLoginFailedException: The user is from a foreign realm, <protocol_iiop_daemon_listenIPAddress value>, and this foreign realm is not trusted. Current realm is <custom realm name>
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of z/OS IBM WebSphere Application * * Server V7.0, V8.0 and V8.5 * **************************************************************** * PROBLEM DESCRIPTION: realm mismatch causes * * WSLoginFailedException after * * installing Fix Packs 7.0.0.29, * * 8.0.0.6 and 8.5.0.2 * **************************************************************** * RECOMMENDATION: * **************************************************************** Installing a fixpack containing PM76462 can cause a change in the realm name used. Prior to PM76462 when using the local OS the realm name was set to the APPLDATA property set in profile SAFDFLT of the REALM class. This occurred even if the REALM class was inactive. Customer with an inactive REALM class may have configured foreign realms to recognize this realm as being trusted. After PM76462, with an inactive REALM class, the realm name is now set to <protocol_iiop_daemon_listenIPAddress value> property. This may cause the realm mismatch. com.ibm.websphere.security.auth.WSLoginFailedException: This realm is not the current realm, nor the admin realm, nor a trusted realm: myhostname Another symptom is if the customer has defined a custom realm, PM76462 will result in the custom realm setting being ignored.
Problem conclusion
PM76462 changes will be removed, reverting back to behavior pre-PM76462. Our infocenter documentation will be updated to indicate that APPLDATA property will be used regardless of whether REALM class is active or inactive. The problem described in PM76462 will be addressed in the next release of WebSphere Application Server, if there is a next release. APAR PM95128 requires changes to documentation. NOTE: Periodically, we refresh the documentation on our Web site, so the changes might have been made before you read this text. To access the latest on-line documentation, go to the product library page at: http://www.ibm.com/software/webservers/appserv/library The following update to the WebSphere Application Server Version 7.0 Information Center will be made available in January, 2014. The sixth paragraph in the topic "System Authorization Facility user registries" will be updated to read: WebSphere for z/OS localOS User Registry (SAF User Registry) implementation sets the registry realm name from the SAFDFLT profile in the REALM class when the SAFDFLT profile is defined, whether the REALM class is active or inactive. The realm name is specified as the APPLDATA property of the SAFDFLT profile. If the realm name cannot be obtained from the OS security product (such as RACF), the value specified for the protocol_iiop_daemon_listenIPAddress property is used as the realm name. For example, the value of protocol_iiop_daemon_listenIPAddress is used if the SAFDFLT profile or APPLDATA property is not defined. and the following Avoid Trouble will be added after the preceding paragraph: Avoid Trouble: Because of PE APAR, PM76462, in Version 7.0.0.29, WebSphere for z/OS localOS User Registry (SAF User Registry) implementation described in the preceding paragraph only occurs when the REALM class is active. This implementation error was corrected in Version 7.0.0.31. APAR PM95128 is currently targeted for inclusion in WebSphere Application Server Fix Packs 7.0.0.31, 8.0.0.8, and 8.5.5.2 of WebSphere Application Server. Please refer to URL: //www.ibm.com/support/docview.wss?rs=404&uid=swg27006970 for Fix Pack availability.
Temporary fix
Comments
APAR Information
APAR number
PM95128
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
700
Status
CLOSED PER
PE
YesPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2013-08-14
Closed date
2013-11-18
Last modified date
2014-02-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500
Applicable component levels
R700 PSY UI13725
UP14/01/11 P F401 Ø
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
Document Information
Modified date:
28 April 2022