APAR status
Closed as documentation error.
Error description
This APAR describes the issues that customers encountered with IBM WebSphere Application Server Version 8.5.5. These issues were resolved as knowledge center updates in September, 2018.
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: This APAR provides a cumulative list of * * the documentation issues for Sept. 2018 * * that affect users of IBM WebSphere * * Application Server Version 8.5. * **************************************************************** * PROBLEM DESCRIPTION: The Knowledge Centers for WebSphere * * Application Server Version 8.5 need * * to reflect customer enhancement * * requests received in problem * * management records (PMRs). These * * enhancements can include fixing * * technical inaccuracies or clarifying * * vague information * **************************************************************** * RECOMMENDATION: * **************************************************************** See the Problem conclusion section for a description of the issues, which are described in customer PMRs, and the documentation change or changes that will address these issues.
Problem conclusion
Note: As we update our knowledge centers, the following Version 8.5 modifications will be available. To access the latest on-line documentation, go to the product library page at http://www.ibm.com/software/webservers/appserv/library and select the version and product that is appropriate for your WebSphere Application Server environment. The following Version 8.5 issues will be addressed: ID: 258142 (RTC) and PH02745 Problem: The knowledge center does not include information on managing/updating certificates in the unmanaged /etc key stores. Resolution: Specifically, 3 topics will be updated: 1. Quality of protection (QoP) settings The Client authentication section adds the following: Keep in mind that client commands, such as stopServer or wsadmin command, get their SSL configuration from the ssl.client.props file. If clientAuthentication is required by server, then users must make sure that a valid client certificate exists in the keystore specified in the ssl.client.props file, which is (profile)/etc/key.p12 by default. For more information about maintaining valid certificate in the keystore, refer to https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com. ibm.websphere.nd.multiplatform.doc/ae/csec_ssl_clientauth.html 2. Secure Sockets Layer client certificate authentication The section entitled, Clients - the following is added: Note: It is best practice to manage server keystores and client keystores separately. However,if you do wish to manage client keystore in adminconsole with server keystores, you can create keystore configuration to point to the local client keystore. Keep in mind that Certificate Expiration Monitor does not monitor client keystore. 3. Certificate expiration monitoring in SSL the following note is added to the section entitled, Certificate expiration monitoring in SSL: Note: Certificate Expiration Monitor covers keystores under the Server configuration. Client keystore such as (profile)/etc/key.p12 is not monitored. This update also applies to V9.0 of the knowledge center. ------ ID: 258237 (RTC) and 788577 Problem: There are two EJB container system properties that are not documented in the knowledge center and can be useful to customers. Resolution: Topic, EJB container system properties, is updated with the two missing properties and they read: com.ibm.websphere.ejbcontainer.blockWorkUntilAppStarted This property allows the user to specify that incoming EJB requests should be blocked until an application is fully started. This behavior is required by the EJB specification for applications with @Startup singleton beans, but for backward compatibility, this behavior is not the default for applications without a @Startup bean. When this property is set to the value true, all incoming EJB requests, both local calls within the server process as well as remote calls from a client, will be blocked and wait until the application is fully started before proceeding. The duration of the block may be adjusted with the related property, com.ibm.websphere.ejbcontainer.blockWorkUntilAppStartedWaitTime. If the application has not started within the duration of the block wait time, then the request will be rejected with ApplicationNotStartedException. The default block duration is 120 seconds. The setting of this property is applied to all EJB applications without a @Startup singleton bean in the server process, and the default is false. Applications with an @Startup singleton bean will always block incoming work before the application is fully started, regardless of this property setting. com.ibm.websphere.ejbcontainer.blockWorkUntilAppStartedWaitTime This property allows the user to specify how long external requests should be blocked while an application is starting. If the application does not start in the specified duration, then requests will be rejected with ApplicationNotStartedException. External requests include both local calls within the server process as well as remote calls from a client. Local calls performed as part of application initialization are allowed; for example, calls from the @PostConstruct method of an @Startup singleton bean are allowed. This property is applicable to all EJB applications containing @Startup singleton beans, and all other applications if the related property, com.ibm.websphere.ejbcontainer.blockWorkUntilAppStarted, is enabled. The value is specified in seconds. If the value is 0, then external requests will be immediately rejected until the application is fully started. Property values: any non-negative integer value (default 120) This update also applies to V90 of the knowledge center ------ ID: 788659 Problem: We are trying to configure SSO for the ODM application running on Websphere Application server. Customer gets erros and cannot proceed. The topic, Enabling SAML SP-Initiated web single sign-on (SSO), is missing critical information that would help the customer complete their configuring successfully. Resolution: Topic, Enabling SAML SP-Initiated web single sign-on (SSO), is update with the following: (1) The following information is added Step 1 of the procedure: -- The com.ibm.wsspi.security.web.saml.AuthnRequestProvider class is found in the was_public.jar file in the (was_home)/dev directory. -- The com.ibm.ws.wssecurity.saml.common.util.UTC class used in this sample can be found in the (was_home)/plugins directory. (2) import statements are missing from the presented example. For this example the following is added to the beginning of the example: import java.util.ArrayList; import java.util.HashMap; import javax.servlet.http.HttpServletRequest; import com.ibm.websphere.security.NotImplementedException; import com.ibm.ws.wssecurity.saml.common.util.UTC; import com.ibm.wsspi.security.web.saml.AuthnRequestProvider; ......... (3) In the provided example the String authnMessage = has an erroneous issueInstant parameter. The correct parameter now reads: + "IssueInstant=\"" +UTC.format(new java.util.Date())+ "\" ForceAuthn=\"false\" IsPassive=\"false\"" (4) Just before the end of the provided example, the following is added: private String generateRandom() { //implement code that generates a random alpha numeric String that is unique //each time it is invoked and cannot be easily predicted (like a counter) } ------- ID: 788812 Problem: The customer was unable to complete the WCT command line parameters to create the web server definition because the parameters documented in the Knowledge center were incorrect. Resolution: Topic, Configuring a web server plug-in using the pct tool, is updated as follows: 1. ihsAdminUserGroup is removed from the "Parameters of the pct tool" table 2. The folowing is added to the Advanced parameters (available in silent installations only) table: Parameter: ihsAdminCreateUserAndGroup Specifies whether to use an existing Unix user id and group or whether to create a new one. This value is required only if ´ihsAdminPort´ parameter is set and is used in combination with the ´ihsAdminUnixUserID´ and ´ihsAdminUnixUserGroup´ parameters. Values: true Will create a new Unix user and group that was defined with the ´ihsAdminUnixUserID´ and the ´ihsAdminUnixUserGroup´ parameters false Will use the existing Unix user and group that was defined with the ´ihsAdminUnixUserID´ and the ´ihsAdminUnixUserGroup´ parameters. Please ensure that the user and group values are valid. 3. The following is added to the Advanced parameters (available in silent installations only) table: Parameter: ihsAdminUnixUserID The user ID to be used with the IHS Administrative Server on Unix. This value is required only if ´ihsAdminPort´ parameter is set and is used in combination with the ´ihsAdminUnixUserGroup´ and ´ihsAdminCreateUserAndGroup´ parameters. Values: The Unix user ID that will be used with the IHS Administrative Server 4. The following is added to the Advanced parameters (available in silent installations only) table: Parameter: ihsAdminUnixUserGroup The name of the Unix user group that is to be used when configuring the IHS Administrative Server. This value is required only if ´ihsAdminPort´ parameter is set and is used in combination with the ´ihsAdminUnixUserID´ and ´ihsAdminCreateUserAndGroup´ parameters. Values: The Unix group of the Unix user ID that will be used with the IHS Administrative Server This update also applies to V9.0 of the knowledge center. -----
Temporary fix
Comments
APAR Information
APAR number
PH02745
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
850
Status
CLOSED DOC
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-09-13
Closed date
2018-09-27
Last modified date
2022-06-06
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5"}]
Document Information
Modified date:
07 June 2022