APAR status
Closed as program error.
Error description
"SPNEGO web authentication" validation fails even when the correct values are entered. When a user encounters this issue, the error includes the kerberos validation error message on a JAAS Subject that starts with "WAS/". If it were SPNEGO validation, the JAAS Subject would start with "HTTP/" -- Sample error -- org.ietf.jgss.GSSException, major code:13, minor code: 0 major string: Invalid credentials minor string: Cannot get credential from JAAS Subject for principal: WAS/testserer.ibm.com@IBMDOMAIN -------------------
Local fix
Manually edit security.xml - take backup of security.xml -edit the krb5Config, krb5Keytab, by removing value, edit krb5Spn="HTTP/${HOST}" with krb5Spn="WAS/${HOST}" and remove tag line --> configured="true" -save the file krb5Config="/root/recreate/spnego/new_mikenoupn.conf" krb5Keytab="/root/recreate/spnego/new_mikenoupn.keytab" krb5Spn="HTTP/${HOST}" trimUserName="true" enabledGssCredDelegate="true" configured="true"/>
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * * who configured Kerberos Authentication. * **************************************************************** * PROBLEM DESCRIPTION: "SPNEGO web authentication" validation * * fails even when the correct values are * * entered. * **************************************************************** * RECOMMENDATION: * **************************************************************** Once "Kerberos configuration" has been saved, "Kerberos and LTPA" authentication mechanism stays enabled. As a result, "SPNEGO web authentication" validation checks both Kerberos and SPNEGO configuration. Even when the correct values are entered in the SPNEGO web authentication panel, the panel fails to save the configuration due to the unnecessary validation on the Kerberos configuration.
Problem conclusion
This APAR introduces a new AdminTask command: unconfigureKrbAuthMechanism()" to reset the authentication mechanism from "Kerberos and LTPA" to "LTPA" while preserving the configured values in the Kerberos authentication for later use. -- usage example -- >wsadmin -username xxx -password yyy -lang jython wsadmin>AdminTask.unconfigureKrbAuthMechanism() wsadmin>AdminConfig.save() ------------------- The fix for this APAR is targeted for inclusion in fix pack 9.0.5.20 and 8.5.5.26. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH57364
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-10-05
Closed date
2024-03-28
Last modified date
2024-03-28
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]
Document Information
Modified date:
28 March 2024