PQ65204: REMOTE_USER ENVIRONMENT VARIABLE IS NULL AFTER BEING SET VIA HTTP

A fix is available

APAR status

Closed as program error.

Error description

After being set by an HTTP_set() the environment variable
REMOTE_USER is blanked out before being passed to the CGI.

Local fix

VERIFICATION STEPS:
in a VVTRACE find REMOTE_USER, first entry will be empty
after http extract then http set the remote user is filled
in, however the next find on REMOTE_USER which is in the cgi,
the remote_user will be null.
if this is your case then this apar describes your problem.

Problem summary

****************************************************************
* USERS AFFECTED: Customers who run the HTTP Server for        *
*                 OS/390 or z/OS and use CGIs and customized   *
*                 authorization/authentication functions.      *
****************************************************************
* PROBLEM DESCRIPTION: After a preexit or authorization exit   *
*                      sets the variable REMOTE_USER, the      *
*                      variable is not available to CGI        *
*                      programs, though it is available to     *
*                      GWAPI programs.                         *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
After a preexit or authorization function sets the variable
REMOTE_USER (a synonym for USERNAME), if the authentication
step is bypassed, the variable is not available to CGI
programs, though it is available to GWAPI programs.

Problem conclusion

The HTTP Server is modified to pass the variable REMOTE_USER
to CGI programs even if the authentication step has been
bypassed, just as it does for GWAPI programs. In addition, the
GWAPI interface is enhanced to allow setting the variables
AUTH_STRING and AUTH_TYPE, allowing more flexibility in
customized authentication and authorization functions.


The following COMPID is affected by these changes:

5697D4300 HTTP Server for OS/390 and z/OS  Version 5

PQ65204 is enhancing some documentation for the GWAPI
interface and is adding the ability for a GWAPI program to set
two variables which had previously been read-only:
AUTH_TYPE and AUTH_STRING.

The ability to set these variables will allow customers more
flexibility in implementing their own authorization and
authentication functions, since code in the HTTP Server's
authorization process depends on setting four variables:
AUTH_STRING, AUTH_TYPE, REMOTE_USER (a synonym for USERNAME),
and PASSWORD. Previously, only the last two could be set.

In general, AUTH_STRING and AUTH_TYPE are taken from the
Authorization header sent by a client.
Most commonly, the header looks similar to this:

Authorization: Basic dXNlcmlkOnBhc3N3b3Jk

Here AUTH_TYPE is "Basic", and AUTH_STRING is
"dXNlcmlkOnBhc3N3b3Jk".

It may be useful for the customer to set these values in a
preexit or in an authorization exit, if they have not been
supplied by a header from the client.
They could then be processed by either the standard
authorization-authentication code, or by the customer's
code.
If an authorization exit is used, it may call the function
HTTPD_authenticate() after setting AUTH_TYPE and AUTH_STRING.
If you use the HTTP Server's standard Basic authentication,
the AUTH_STRING must contain the userid, a colon, and the
password, in base64-encoded form.

The authentication function, whether it is the default HTTP
Basic authentication or a customer-written function, may
use the AUTH_STRING to derive the username and password, then
authenticate the user. It should set REMOTE_USER (and possibly
PASSWORD).

In the HTTP Server Planning, Installing and Using manual, for
versions 5. and 5.3, in Appendix D: Environment variables,
please move the variables AUTH_STRING and AUTH_TYPE from the
list "Variables with values that are read-only" to the list
"Variables with values that can be set or created".

In Chapter 19: Writing GWAPI Programs, in the section
"Application function prototypes", under "Authorization",
please replace this sentence:
    Only HTTPD_extract() and HTTPD_set() are valid during
    this step.
with:
    HTTPD_extract(), HTTPD_set(), HTTPD_exec(), HTTPD_file(),
    HTTPD_read(), and HTTPD_write() are valid during this
    step.

In Chapter 19: Writing GWAPI Programs, in the section
"Predefined functions and macros", under "HTTPD_read()",
please replace this sentence:
"Valid only in the PreExit, Service, and Data Filter steps."
with:
"Valid only in the PreExit, Authorization, Service, and Data
Filter steps."

In Chapter 19: Writing GWAPI Programs, in the section
"Predefined functions and macros", under "HTTPD_proxy()",
please add this sentence:
Before calling HTTPD_proxy(), use HTTPD_set() to set the
variable PROXY_METHOD. For example, set it to the value "GET".

PTF K2
The code changes are stored in CMVC under defect PQ65204

The following manuals document the new directive:
SC31-8903 LDGW 5.2 Planning, Installing, and Using
SC31-8690 IHS 5.3 Planning, Installing, and Using (for OS/390)
SC34-4826 IHS 5.3 Planning, Installing, and Using (for z/OS)

SRLS:      SC31-8903 SC31-8690 SC34-4826

For the latest documentation for the 5.x releases, please use
one of the following URLs:
http://www.ibm.com/software/websphere/httpservers/doc53.html
http://www.ibm.com/software/websphere/httpservers/doc52.html

* Cross Reference between External and Internal Names

Temporary fix

Comments

APAR Information

APAR number

PQ65204
Reported component name

DGW/WAS OS/390
Reported component ID

5697D4300
Reported release

530
Status

CLOSED PER
PE

NoPE
HIPER

NoHIPER
Special Attention

NoSpecatt / Xsystem
Submitted date

2002-08-13
Closed date

2002-09-12
Last modified date

2002-10-02

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

UQ69767

Modules/Macros

```
   IMWOHTAP IMWSDVAR IMWSENV  IMWSERVR
```

*Publications Referenced*
SC31869002	SC31869003	SC34482600

Fix information

Fixed component name

DGW/WAS OS/390
Fixed component ID

5697D4300

Applicable component levels

R520 PSY UQ69767

UP02/09/17 P F209
R530 PSY UQ69768

UP02/09/17 P F209

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF054","label":"z\/OS"}],"Version":"530","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
30 March 2021

Tips

PQ65204: REMOTE_USER ENVIRONMENT VARIABLE IS NULL AFTER BEING SET VIA HTTP_SET() AND PASSED TO A CGI.

A fix is available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R520 PSY UQ69767

R530 PSY UQ69768

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

Document Information

Share your feedback

Need support?