Direct links to fixes
5.1.0-TIV-TAM-IF0043-WIN
5.1.0-TIV-TAM-IF0043-LIN
5.1.0-TIV-TAM-IF0043-PPC
5.1.0-TIV-TAM-IF0043-SOL
5.1.0-TIV-TAM-IF0043-S390
5.1.0-TIV-TAM-IF0043-HP
5.1.0-TIV-TAM-IF0043-AIX
Tivoli Access Manager for e-Business WebSEAL, Patch 5.1.0-TIV-AWS-FP0039
Tivoli Access Manager for e-Business WebSEAL, Patch 5.1.0.39-TIV-AWS-IF0040
Tivoli Access Manager for e-Business WebSEAL, Patch 5.1.0-TIV-AWS-FP0041
Tivoli Access Manager for e-Business WebSEAL, Patch 5.1.0-TIV-AWS-FP0042
APAR status
Closed as new function.
Error description
If the application sends a cookie WebSEAL will prepend to that cookie a string that contains the junction name and a '/' (slash) character. This character is not according to the RFC standards for HTTP 1.1 (RFC 2616) or the HTTP State Management Mechanism (RFC 2109). We are aware that there is a workaround for this suggested in the Fixpack Documentation that suggests to configure the specific cookie in the preserve-cookie-names stanza of webseald.conf. However, that causes the cookie path to be set to '/', resulting in a situation where two different services using the same session cookie will not function properly as their cookies will overwrite each other. This is especially problematic with J2EE applications which generally always use the session cookie named JSESSIONID. Therefore, the original problem of illegal characters in the cookie name remains" How can we resolve this issue that we maintain the JSESSION-ID cookie path=/desktop/wps as expected or remove this "/" slash being written in the cookie-name?
Local fix
Problem summary
When accessing a junction created with the -j option, WebSEAL "mangles" the cookie's NAME attribute, providing a unique stamp for every junction. Unfortunately the mangling includes the "/" character as part of the junction name--which is illegal per RFC 2616 and 2109. An example cookie looks like this, after mangling: AMWEBJCT!/jct1!cookie1=test1 Before sending the cookie to the junctioned application, WebSEAL "demangles" the cookie, so it looks like this: cookie1=test
Problem conclusion
Fixed in 4.1-AWS-0008LA. This fix introduces a new optional parameter to the junction stanza of webseald.conf, "encode-mangled-cookienames". With this parameter set to "yes", WebSEAL will mangle the cookie in a manner to contain only legal characters: AMWEBJCT!%2Fjct1!cookie1=test1
Temporary fix
Comments
APAR Information
APAR number
IY50317
Reported component name
ACCESS MGR E-BU
Reported component ID
5724C0800
Reported release
410
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2003-10-30
Closed date
2003-12-19
Last modified date
2004-10-27
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
ACCESS MGR E-BU
Fixed component ID
5724C0800
Applicable component levels
R410 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSPREK","label":"IBM Security Access Manager for Web"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"410","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Document Information
Modified date:
29 December 2021