APAR status
Closed as program error.
Error description
When WebSphere Application Server is the consumer of SPNEGO tokens generated by a DataPower appliance, the following error may occur: CWSPN0011E: An invalid SPNEGO token has been encountered while authenticating a HttpServletRequest This error is due to the addition of the SDK fix that accompanied fixpack levels 6.1.0.35 and 7.0.0.15 and later of WebSphere Application Server: http://www-01.ibm.com/support/docview.wss?uid=swg1IZ86679 For additional information, refer to: http://www-01.ibm.com/support/docview.wss?uid=swg21501903
Local fix
IZ86679 Fix is contained within the ibmjgssprovider.jar located in directory - \was_install_dir\java\jre\lib\ibmjgssprovider.jar Use of this jar obtained from a previous fixpack level can alleviate the error but also removes the closing of security exposure CVE-2010-1321 by APAR IZ86679 and hence should be evaluated with respect to the customer environment.
Problem summary
This APAR adds two new properties to the Kerberos Keytab configuration, one of which must be set for DataPower compatibility with WebSphere Application Server fix pack levels after JDK fix IZ86679 delivery in 6.1.0.35 & 7.0.0.15. The first property is "Generate GSS-API Checksum in AP-REQ" and defaults to off. Enable this property to generate an SPNEGO token that is compatible with the identified fix pack levels of WebSphere Application Server. The second property is "GSS-API Checksum Flags" is optional and typically can be left at its default settings. You might need to modify the bitmap for compatibility purposes with other Kerberos GSS-API endpoints that require specific checksum flag values. The new properties are documented in online help and information center.
Problem conclusion
The fix will be in 3.8.0.14 3.8.1.14 3.8.2.5 4.0.1.2
Temporary fix
Comments
APAR Information
APAR number
IC76698
Reported component name
DATAPOWER
Reported component ID
DP1234567
Reported release
381
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2011-06-01
Closed date
2011-07-28
Last modified date
2011-08-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
DATAPOWER
Fixed component ID
DP1234567
Applicable component levels
R381 PSY
UP
R382 PSY
UP
R401 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.8.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
11 February 2022