APAR status
Closed as program error.
Error description
Error Message: N/A . Stack Trace: N/A .
Local fix
N/A
Problem summary
Support for Kerberos Cross-Realm Referrals (RFC 6806) is added: The Kerberos client is enhanced with support for principal name canonicalization and cross-realm referrals, as defined by the RFC6806 protocol extension. The Kerberos client can now take advantage of more dynamic environment configurations, and does not necessarily need to know in advance how to reach the realm of a target principal (user or service). Support is enabled by default and the maximum number of referral hops allowed is set to 5. To disable it, set the com.ibm.security.krb5.disableReferrals security, or system property to false. To configure a custom maximum number of referral hops, set the com.ibm.security.krb5.maxReferrals security, or system property to any positive value. Note: The com.ibm.security.krb5.disableReferrals and com.ibm.security.krb5.maxReferrals Java? Generic Security Service (JGSS) configuration options can be set statically in the java.security file as a security property, or dynamically at runtime as a system property. Support for the canonicalize flag in krb5.conf is added: The Kerberos implementation now supports the canonicalize flag in the krb5.conf file. When set to true, RFC6806 name canonicalization is requested by clients in TGT requests to KDC services (AS protocol). Otherwise, by default it is not requested. Support for Cross-Realm Kerberos MS-SFU Extensions is added: The support for the Kerberos MS-SFU extensions is now extended to cross-realm environments through the addition of resource-based constrained delegation support. By using the Kerberos cross-realm referrals enhancement, the S4U2Self and S4U2Proxy extensions might be used to impersonate user and service principals that are located on different realms.
Problem conclusion
The files affected by this APAR are: ibmjgssprovider.jar (Java 8: build_20230719-53). The associated Hursley RTC Problem Report is: PR149485, and PR149488. The associated Austin Git issue is: Issue #35 for IBMJGSS. The associated Austin APAR issue is: N/A. . This APAR will be fixed in the following Releases: . IBM SDK, Java Technology Edition 8 SR8 FP15 (8.0.8.15) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available maintenance can be found at: https://www.ibm.com/support/pages/java-sdk
Temporary fix
N/A
Comments
APAR Information
APAR number
IJ49092
Reported component name
SECURITY
Reported component ID
620700125
Reported release
270
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-11-03
Closed date
2023-11-03
Last modified date
2023-11-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
04 November 2023