APAR status
Closed as program error.
Error description
When using a AAA action configured for "Validate a Kerberos AP-REQ for the Correct Server Principal" authentication with a value specified for the optional 'Kerberos Principal Name' (KPN) parameter (visible from the Object's menu), DataPower does not properly compare the Server Principal Name (SPN) from the incoming AP_REQ to the SPN in the configuration. This may result in a client successfully passing authentication even if the server in its AP_REQ does not match the server in the configured keytab or SPN. This will only affect cases where the client has a Kerberos AP_REQ token for a server with the same keytab password and KVNO.
Local fix
Do not specify a value for 'Kerberos Principal Name'.
Problem summary
If a Service Principal Name is configured (in the AAA action or while using Kerberos extension functions) DataPower may not validate the SPN correctly in some cases.
Problem conclusion
DataPower now validates the SPN configured to the SPN in the ticket correctly in all cases.
Temporary fix
Comments
APAR Information
APAR number
IC71568
Reported component name
DATAPOWER
Reported component ID
DP1234567
Reported release
380
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-09-30
Closed date
2010-12-02
Last modified date
2010-12-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
DATAPOWER
Fixed component ID
DP1234567
Applicable component levels
R373 PSY
UP
R380 PSY
UP
R381 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.8","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
11 February 2022