PI55025: COM.IBM.WEBSPHERE.SECURITY.AUTH.WSLOGINFAILEDEXCEPTION: THE USER IS FROM A FOREIGN REALM, AND THIS FOREIGN REALM IS NOT TRUSTED.

Fixes are available

APAR status

Closed as program error.

Error description

WebSphere z/OS  8.5.5.2 is reporting this failure in joglog
entry:


   SourceId: com.ibm.ws.security.token.WSCredentialTokenMapper
   ExtendedMessage: BBOO0220E: SECJ5010E: Could not create
default
AuthenticationToken during propagation login.  The following
excep
 tion occurred:
com.ibm.websphere.security.auth.WSLoginFailedException:
The user is from a foreign realm, LDAP, and this foreign realm
is not trusted. Current realm is nnn.nnn.nnn.nnn
  at
com.ibm.ws.security.ltpa.LTPAServerObject.realmsMatch(LTPAServer
Object.java:2988)
  at
com.ibm.ws.security.ltpa.LTPAServerObject.validateToken(LTPAServ
erObject.java:1184)
  at
com.ibm.ws.security.token.AuthenticationTokenImpl.initializeToke
n(AuthenticationTokenImpl.java:298)
  at
com.ibm.ws.security.token.AuthenticationTokenImpl.initializeToke
n(AuthenticationTokenImpl.java:218)
  at
com.ibm.ws.security.token.AuthenticationTokenImpl.initializeToke
n(AuthenticationTokenImpl.java:207)
  at
com.ibm.ws.security.token.WSCredentialTokenMapper.createAuthToke
nFromWSCredential(WSCredentialTokenMapper.java:1083)
  at
com.ibm.ws.security.context.ContextImpl$5.run(ContextImpl.java:9
67)

Local fix

```
n/a
```

Problem summary

****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server for z/OS V8.5                        *
****************************************************************
* PROBLEM DESCRIPTION: SECJ5010E: Could not create default     *
*                      AuthenticationToken during              *
*                      propagation login.                      *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
During propagation login an LtpaToken(2) cookie is provided by
the client. If the subject associated with this cookie/token
is not found in cache, we will attempt to find the subject on
the server that performed the initial login via an mbean call
to that server.
This error occurs when the source server, server making the
mbean request, is in an application domain in a Multi
Security Domain(MSD) environment. The target server, server
running this mbean attempts validation of the cookie/token in
the global domain instead of the application domain. This
results in the SECJ5010E errror.
The result of the error is that the source server will need to
recreate the subject. It is possible that could result in
login failing and the user being prompted for login
credentials.
The SECJ5010E error is a common error. To be certain this apar
is a match, keep in mind this APAR only addresses servers
running in an application domain. Tracing would show that
the error occurs under a thread running under the
SecurityAdmin.getOpaqueToken() method. You would see this in
the stacktrace. ie:
com.ibm.ws.security.core.SecurityAdmin.getOpaqueToken(SecurityAd
min.java:xxxx)
APAR Searchability keywords:
_WL3SEC _ZOS _AUTHN _OPAQUETOKEN

Problem conclusion

Security code was corrected to validate the LtpaToken(2) in
the application domain when running the
SecurityAdmin.getOpaqueToken() mbean.

APAR PI55025 is currently targeted for inclusion in Fix Pack
8.5.5.10 of WebSphere Application Server V8.5.

Please refer to the Recommended Updates page for delivery
information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

In addition, please refer to URL:
http://www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
for Fix Pack PTF information.

Temporary fix

Comments

APAR Information

APAR number
PI55025
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-01-07
Closed date
2016-03-11
Last modified date
2016-03-11

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500

Applicable component levels

R850 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 April 2022

Tips

PI55025: COM.IBM.WEBSPHERE.SECURITY.AUTH.WSLOGINFAILEDEXCEPTION: THE USER IS FROM A FOREIGN REALM, AND THIS FOREIGN REALM IS NOT TRUSTED.

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R850 PSY

Document Information

Share your feedback

Need support?