IBM Support

IV81011: JGSS'S CANONICALIZATION METHOD SHOULD ACCEPT STANDARD SPN.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Error Message, as reported by customer:
Application failed after upgrading to Java7 SR3.

Stack Trace, if applicable:
java.lang.Exception: No credential
        at
com.ibm.security.jgss.i18n.I18NException.throwException(I18NExce
ption.java:49)
        at
com.ibm.security.krb5.internal.TgsCredentials.acquireSvcCreds(Tg
sCredentials.java:582)
        at
com.ibm.security.krb5.Credentials.acquireSvcCreds(Credentials.ja
va:1602)
        at
com.ibm.security.jgss.mech.krb5.Krb5Context.initSecContext(Krb5C
ontext.java:460)
        at
com.ibm.security.jgss.mech.krb5.Krb5Context.initSecContext(Krb5C
ontext.java:805)
        at
com.ibm.security.jgss.mech.spnego.SPNEGOContext.createInitToken(
SPNEGOContext.java:1146)
        at
com.ibm.security.jgss.mech.spnego.SPNEGOContext.initSecContext(S
PNEGOContext.java:529)
        at
com.ibm.security.jgss.GSSContextImpl.initSecContext(GSSContextIm
pl.java:382)
        at
com.ibm.security.jgss.GSSContextImpl.initSecContext(GSSContextIm
pl.java:331)

Other Error Information, as reported by customer:
N/A

Local fix

  • N/A

Problem summary

  • JGSS's canonicalization method should accept standard SPN.


ERROR DESCRIPTION:

Application failed after upgrading to Java7 SR3:


java.lang.Exception: No credential
        at
com.ibm.security.jgss.i18n.I18NException.throwException(I18NExce
ption.java:49)
        at
com.ibm.security.krb5.internal.TgsCredentials.acquireSvcCreds(Tg
sCredentials.java:582)
        at
com.ibm.security.krb5.Credentials.acquireSvcCreds(Credentials.ja
va:1602)
        at
com.ibm.security.jgss.mech.krb5.Krb5Context.initSecContext(Krb5C
ontext.java:460)
        at
com.ibm.security.jgss.mech.krb5.Krb5Context.initSecContext(Krb5C
ontext.java:805)
        at
com.ibm.security.jgss.mech.spnego.SPNEGOContext.createInitToken(
SPNEGOContext.java:1146)
        at
com.ibm.security.jgss.mech.spnego.SPNEGOContext.initSecContext(S
PNEGOContext.java:529)
        at
com.ibm.security.jgss.GSSContextImpl.initSecContext(GSSContextIm
pl.java:382)
        at
com.ibm.security.jgss.GSSContextImpl.initSecContext(GSSContextIm
pl.java:331)

Problem conclusion

  • This issue was introduced by Austin CMVC defect 116871, which
makes a canolicalization call when creating a GSSNameImpl
instance.

This C14N call converts service name from service@server.fqdn to
service/server.fqdn@REALM format before initiating the context.
During initiation, another C14N is applied on the standard SPN
and results in a bad SPN. The later C14N turns out to be
unnecessary if the service name is already a standard SPN.



The corresponding Austin defect is 117151.
The corresponding RTC Problem Report is 107257.

Platform affected: All platforms.
JVMs affected: 6.0, 6.26, 7.0, 7.27, and 8.0.
Jars affected: ibmjgssprovider.jar.
The fix will be available in 160_SR16_FP25, 626_SR8_FP25,
170_SR9_FP40, 727_SR3_FP40, 180_SR3.
Build level is 20160202.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IV81011
    • 

  • Reported component name
    TIV JAVA GSS-AP
    • 

  • Reported component ID
    TIVSECJGS
    • 

  • Reported release
    100
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2016-01-29
    • 

  • Closed date
    2016-02-04
    • 

  • Last modified date
    2016-02-04
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    TIV JAVA GSS-AP
    • 

  • Fixed component ID
    TIVSECJGS
    • 



Applicable component levels


    

  • R100  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCZL44","label":"JGSS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"100","Edition":"","Line of Business":{"code":"","label":""}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            04 February 2016
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback