APAR status
Closed as program error.
Error description
Error Message: BAD TGS SERVER INSTANCE . Stack Trace: major string: General failure, unspecified at GSSAPI level minor string: Error: java.lang.Exception: Error: com.ibm.security.krb5.KrbException, status code: 35 message: BAD TGS SERVER INSTANCE<CSB><CSB>' naming exception occurred during processing. at com.ibm.ws.wim.adapter.ldap.LdapConnection.reCreateDirContext(Ld apConnection.java:1005) at com.ibm.ws.wim.adapter.ldap.LdapConnection.getAttributes(LdapCon nection.java:1311) at com.ibm.ws.wim.adapter.ldap.LdapConnection.checkAttributesCache( LdapConnection.java:1627) at com.ibm.ws.wim.adapter.ldap.LdapConnection.getEntityByIdentifier (LdapConnection.java:3108) at com.ibm.ws.wim.adapter.ldap.LdapConnection.getEntityByIdentifier (LdapConnection.java:3011) at com.ibm.ws.wim.adapter.ldap.LdapAdapter.get(LdapAdapter.java:165 6) at com.ibm.ws.wim.ProfileManager.retrieveEntityFromRepository(Profi leManager.java:2836) at com.ibm.ws.wim.ProfileManager.retrieveEntity(ProfileManager.java :2949) at com.ibm.ws.wim.ProfileManager.getImpl(ProfileManager.java:1632) at com.ibm.ws.wim.ProfileManager.genericProfileManagerMethod(Profil eManager.java:380) at com.ibm.ws.wim.ProfileManager.get(ProfileManager.java:438) at com.ibm.websphere.wim.ServiceProvider.get(ServiceProvider.java:3 85) at com.ibm.ws.wim.registry.util.BridgeUtils.getEntityByIdentifier(B ridgeUtils.java:636) at com.ibm.ws.wim.registry.util.MembershipBridge.getUniqueGroupIds( MembershipBridge.java:595) at com.ibm.ws.wim.registry.WIMUserRegistry$12.run(WIMUserRegistry.j ava:1126) at com.ibm.ws.wim.registry.WIMUserRegistry$12.run(WIMUserRegistry.j ava:1115) at com.ibm.ws.security.auth.ContextManagerImpl.runAs(ContextManager Impl.java:5568) at com.ibm.ws.security.auth.ContextManagerImpl.runAsSystem(ContextM anagerImpl.java:5694) at com.ibm.ws.wim.security.authz.jacc.JACCSecurityManager.runAsSupe rUser(JACCSecurityManager.java:438) at com.ibm.ws.wim.env.was.JACCAuthorizationService.runAsSuperUser(J ACCAuthorizationService.java:1086) at com.ibm.ws.wim.security.authz.ProfileSecurityManager.runAsSuperU ser(ProfileSecurityManager.java:285) at com.ibm.ws.wim.registry.WIMUserRegistry.getUniqueGroupIds(WIMUse rRegistry.java:1114) at com.ibm.ws.security.registry.UserRegistryImpl.createCredentialIn ternal(UserRegistryImpl.java:926) at com.ibm.ws.security.registry.UserRegistryImpl.createCredential(U serRegistryImpl.java:833) at com.ibm.ws.security.server.lm.ltpaLoginModule.login(ltpaLoginMod ule.java:804) at sun.reflect.GeneratedMethodAccessor510.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod AccessorImpl.java:55) at java.lang.reflect.Method.invoke(Method.java:508) at javax.security.auth.login.LoginContext.invoke(LoginContext.java: 788) .
Local fix
N/A
Problem summary
Customer is corrupting the JGSS/Kerberos credential cache file with an invalid cross-realm referral TGT entry to facilitate cross-realm authentication between Windows (MSAD), and non-Windows Kerberos (Linux, MIT) in a non-compliant way.
Problem conclusion
The code that reads the entries from the credentials cache has been modified to recognize an invalid referral TGT, and ignore it. The associated Hursley RTC Problem Report is 150120 The associated Austin GIT defect is IBMJGSS 79 JVMs affected: Java 8.0 The fix was delivered for Java 8 sr8 fp20 The affected jar is "ibmjgssprovider.jar". The build level of this jar for the affected releases is Java 8 build_20231031--82 . This APAR will be fixed in the following Releases: . IBM SDK, Java Technology Edition 8 SR8 FP20 (8.0.8.20) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available maintenance can be found at: https://www.ibm.com/support/pages/java-sdk
Temporary fix
Comments
APAR Information
APAR number
IJ49090
Reported component name
SECURITY
Reported component ID
620700125
Reported release
270
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-11-03
Closed date
2023-11-03
Last modified date
2023-11-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
04 November 2023