APAR status
Closed as program error.
Error description
When the administrative console is protected with a TAI, such as OIDC, a login to the console is performed through the OpenID provider. This works fine if the user enters a good username and password. However, if the login fails, or if the user does not have the authorization to use the administrative console, the console redirects to loginError.jsp. loginError.jsp is an unprotected page that has the username and password fields and error text. The username and password fields expected on this page are the WebSphere registry username and password, not those of the OpenID provider. The console should never display its own login page when it is protected by a TAI. There is a JVM custom property called adminconsole.certLogin. The adminconsole.certLogin property tells the console to display just an error page and not the username and password page. However, the error on the page is specific to certificate login. A new page is needed that is more generic so that it can be used when the console is protected by a TAI.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * * Administrative Console * **************************************************************** * PROBLEM DESCRIPTION: When the console is protected with a * * TAI * * and login errors occur, the console * * should not redirect to its own * * loginError page * **************************************************************** * RECOMMENDATION: * **************************************************************** When the administrative console is protected with a TAI, such as OIDC, a login to the console is performed through the OpenID provider. This works fine if the user enters a good username and password. However, if the login fails, or if the user does not have the authorization to use the administrative console, the console redirects to loginError.jsp. The loginError.jsp is an unprotected page that has the username and password fields and error text. The username and password fields expected on this page are the WebSphere registry username and password, not those of the OpenID provider. The console should never display its own login page when it is protected by a TAI and it should not have username and password fields.
Problem conclusion
A new JVM custom property, adminconsole.ssoLogin, was added to tell the console when an alternate form of login(SSO login) is configured. When this property is set to true, the console will not to display the WebSphere user registry username and password fields and it will display an appropriate error message in the logon.jsp and logonError.jsp. The fix for this APAR is targeted for inclusion in fix pack 8.5.5.25 and 9.0.5.18. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH55437
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-06-27
Closed date
2023-11-27
Last modified date
2023-11-27
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
04 December 2023