Fixes are available
17.0.0.3: WebSphere Application Server Liberty 17.0.0.3
17.0.0.4: WebSphere Application Server Liberty 17.0.0.4
18.0.0.1: WebSphere Application Server Liberty 18.0.0.1
18.0.0.2: WebSphere Application Server Liberty 18.0.0.2
18.0.0.3: WebSphere Application Server Liberty 18.0.0.3
18.0.0.4: WebSphere Application Server Liberty 18.0.0.4
19.0.0.1: WebSphere Application Server Liberty 19.0.0.1
19.0.0.2: WebSphere Application Server Liberty 19.0.0.2
19.0.0.3: WebSphere Application Server Liberty 19.0.0.3
19.0.0.4: WebSphere Application Server Liberty 19.0.0.4
19.0.0.5: WebSphere Application Server Liberty 19.0.0.5
19.0.0.6: WebSphere Application Server Liberty 19.0.0.6
19.0.0.7: WebSphere Application Server Liberty 19.0.0.7
19.0.0.8: WebSphere Application Server Liberty 19.0.0.8
19.0.0.9: WebSphere Application Server Liberty 19.0.0.9
19.0.0.10: WebSphere Application Server Liberty 19.0.0.10
19.0.0.11: WebSphere Application Server Liberty 19.0.0.11
19.0.0.12: WebSphere Application Server Liberty 19.0.0.12
20.0.0.1: WebSphere Application Server Liberty 20.0.0.1
20.0.0.2: WebSphere Application Server Liberty 20.0.0.2
20.0.0.3: WebSphere Application Server Liberty 20.0.0.3
20.0.0.4: WebSphere Application Server Liberty 20.0.0.4
20.0.0.5: WebSphere Application Server Liberty 20.0.0.5
20.0.0.6: WebSphere Application Server Liberty 20.0.0.6
20.0.0.7: WebSphere Application Server Liberty 20.0.0.7
20.0.0.8: WebSphere Application Server Liberty 20.0.0.8
20.0.0.9: WebSphere Application Server Liberty 20.0.0.9
20.0.0.10: WebSphere Application Server Liberty 20.0.0.10
20.0.0.11: WebSphere Application Server Liberty 20.0.0.11
20.0.0.12: WebSphere Application Server Liberty 20.0.0.12
21.0.0.3: WebSphere Application Server Liberty 21.0.0.3
21.0.0.4: WebSphere Application Server Liberty 21.0.0.4
21.0.0.5: WebSphere Application Server Liberty 21.0.0.5
21.0.0.6: WebSphere Application Server Liberty 21.0.0.6
21.0.0.7: WebSphere Application Server Liberty 21.0.0.7
21.0.0.8: WebSphere Application Server Liberty 21.0.0.8
21.0.0.9: WebSphere Application Server Liberty 21.0.0.9
21.0.0.1: WebSphere Application Server Liberty 21.0.0.1
21.0.0.2: WebSphere Application Server Liberty 21.0.0.2
21.0.0.10: WebSphere Application Server Liberty 21.0.0.10
21.0.0.11: WebSphere Application Server Liberty 21.0.0.11
21.0.0.12: WebSphere Application Server Liberty 21.0.0.12
22.0.0.1: WebSphere Application Server Liberty 22.0.0.1
22.0.0.2: WebSphere Application Server Liberty 22.0.0.2
22.0.0.3: WebSphere Application Server Liberty 22.0.0.3
22.0.0.4: WebSphere Application Server Liberty 22.0.0.4
APAR status
Closed as program error.
Error description
certificate login does not work with custom user registry on Liberty
Local fix
n/a
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server Liberty who configure a custom user * * registry and use certificate login * **************************************************************** * PROBLEM DESCRIPTION: User registry error after * * mapCertificate call * **************************************************************** * RECOMMENDATION: * **************************************************************** When certificate login takes place, Liberty calls the mapCertificate() method on the custom user registry to map the incoming certificate to a user. Somehow, Liberty incorrectly thinks the return value of mapCertificate() is uniqueUserId where it is actually securityName. Liberty then calls getUserSecurityName with securityName as an input. This is unexpected input for custom user registry and it could throw an error. The error stack varies but it is after mapCertificate is called and from user registry code due to incorrect input value from Liberty one example of an error seen is shown below. ----- Sample error output --- [23/06/17 11:45:44:497 BST] 00000030 SystemErr R java.lang.NullPointerException [23/06/17 11:45:44:498 BST] 00000030 SystemErr R at com.ibm.security.x509.X509CertInfo.getX500Name(X509CertInfo.java :859) [23/06/17 11:45:44:498 BST] 00000030 SystemErr R at com.ibm.security.x509.X509CertInfo.get(X509CertInfo.java:803) [23/06/17 11:45:44:498 BST] 00000030 SystemErr R at com.ibm.mq.rest.auth.osauth.v1.MQLocalAuthenticationV1.mapCertif icate(MQLocalAuthenticationV1.java:623) [23/06/17 11:45:44:499 BST] 00000030 SystemErr R at com.ibm.ws.security.registry.internal.CustomUserRegistryWrapper. mapCertificate(CustomUserRegistryWrapper.java:244) [23/06/17 11:45:44:499 BST] 00000030 SystemErr R at com.ibm.ws.security.authentication.jaas.modules.CertificateLogin Module.handleUserLogin(CertificateLoginModule.java:271) -----
Problem conclusion
The code was fixed so that it will handle securityName and uniqueUserId as expected. The fix for this APAR is currently targeted for inclusion in fix pack 17.0.0.3. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PI84487
Reported component name
LIBERTY PROFILE
Reported component ID
5724J0814
Reported release
855
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-07-13
Closed date
2017-08-22
Last modified date
2017-08-22
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
LIBERTY PROFILE
Fixed component ID
5724J0814
Applicable component levels
R855 PSY
UP
Document Information
Modified date:
04 May 2022