IBM Support

PH55995: FORM BASED LOGIN OR OTHER LTPA AUTHENTICATION FAILS ON JAVA 11 ON Z/OS WHEN USING THE IBMJCEHYBRID PROVIDER

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Form based login or other LTPA authentication fails on Java 11
on z/OS when using the IBMJCEHYBRID provider

Affected Users:
Liberty running Java 11 on z/OS using the IBMJCEHYBRID provider

The problem occurs in the following scenarios:
- Liberty for z/OS is running on a system with no hardware
crypto card
- Liberty for z/OS is running on a system with hardware crypto,
but the ICSF address space is down
- Liberty server is started with no ltpa.keys file in directory
WLP_USER_DIR/servername/resources/security/ltpa.keys and is
created on startup with size 1070 bytes.
- Liberty service level 22.0.0.11 or later

An FFDC log contains the following:

Stack Dump =
com.ibm.websphere.security.auth.InvalidTokenException:
BigInteger not invertible.
com.ibm.ws.security.token.ltpa.internal.LTPAToken2.getBytes(LTP
AToken2.java:381)
com.ibm.ws.security.token.internal.AbstractTokenImpl.getBytes(
com.ibm.ws.security.authentication.internal.cache.keyproviders.
SSOTokenBytesCacheKeyProvider.getSingleSignonTokenBytes(
com.ibm.ws.security.authentication.internal.cache.keyproviders.
SSOTokenBytesCacheKeyProvider.provideKey(
com.ibm.ws.security.authentication.internal.cache.AuthCacheServ
iceImpl.commonInsert(
com.ibm.ws.security.authentication.internal.cache.AuthCacheServ
iceImpl.insert(
com.ibm.ws.security.authentication.internal.AuthenticationServi
ceImpl.insertSubjectInAuthCache(
com.ibm.ws.security.authentication.internal.AuthenticationServi
ceImpl.authenticate(
com.ibm.ws.security.authentication.internal.AuthenticationServi
ceImpl.authenticate(
com.ibm.ws.security.authentication.helper.AuthenticateUserHelpe
r.authenticateUser(
com.ibm.ws.security.authentication.helper.AuthenticateUserHelpe
r.authenticateUser(
com.ibm.wsspi.security.common.auth.module.IdentityAssertionLogi
nModule.setUpTemporarySubject(
com.ibm.wsspi.security.common.auth.module.IdentityAssertionLogi
nModule.login(
com.ibm.ws.kernel.boot.security.LoginModuleProxy.login(LoginMod
uleProxy.java:53)
java.base/javax.security.auth.login.LoginContext.invoke(LoginCo
ntext.java:747)
java.base/javax.security.auth.login.LoginContext$4.run(LoginCon
text.java:672)
java.base/javax.security.auth.login.LoginContext$4.run(LoginCon
text.java:670)
java.base/java.security.AccessController.doPrivileged(AccessCon
troller.java:783)
java.base/javax.security.auth.login.LoginContext.invokePriv(Log
inContext.java:670)
java.base/javax.security.auth.login.LoginContext.login(LoginCon
text.java:581)

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  All users of WebSphere Liberty on zOS using *
*                  JAVA 11 with IBMJCEHYBRID Provider          *
****************************************************************
* PROBLEM DESCRIPTION: While using WebSphere Liberty on zOS    *
*                      with                                    *
*                      JAVA 11 and IBMJCEHYBRID Provider, it   *
*                      is                                      *
*                      noticed that form based login or other  *
*                      LTPA authentication fails.              *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
While using WebSphere Liberty on zOS with JAVA 11 and
IBMJCEHYBRID
Provider, it is noticed that form based login or other LTPA
authentication fails.

    



Problem conclusion


    

  • The code has been revised and updated to fix to address this
issue.

The fix for this APAR is targeted for inclusion in fix pack
23.0.0.10. For more information, see 'Recommended Updates for
WebSphere Application Server':
https://www.ibm.com/support/pages/node/715553

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH55995
    • 

  • Reported component name
    LIBERTY PROF -
    • 

  • Reported component ID
    5655W6514
    • 

  • Reported release
    CD0
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2023-07-25
    • 

  • Closed date
    2023-09-14
    • 

  • Last modified date
    2023-09-14
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    LIBERTY PROF -
    • 

  • Fixed component ID
    5655W6514
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"CD0","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            15 September 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback