JR62806: EXTERNAL REST SERVICE INVOCATIONS FAIL WITH AN HTTP 401 ERROR

workflow.20002.delta.repository

APAR status

• Closed as program error.

Error description

• After you upgrade to IBM Business Automation Workflow V18.0.0.2
  or later, invoking an external REST service might fail with an
  HTTP 401 error if the OpenAPI definition doesn't specify a
  security definition of basic authentication for the respective
  operation; however, the REST service does require basic
  authentication.
  

Local fix

• Correct the incomplete OpenAPI definition of the external REST
  service by specifying basic authentication in the OpenAPI
  definition for the respective operation. Then, rediscover the
  external REST service, create a new snapshot of your process
  application, and install it into the runtime environment.
  
  Note: This approach is not a workaround but rather the required
  action in any case. The property is meant only as a temporary
  mitigation until the process application is corrected, such that
  it contains external REST services that are based on valid and
  complete OpenAPI specifications.
  

Problem summary

•   For a REST service invocation, Business Automation Workflow
    requires a valid and fully specified OpenAPI definition,
    including respective security definitions for the operations
    of that REST service, as documented in "Invoking a REST
    service"
    (https://www.ibm.com/support/knowledgecenter/SS8JB4_20.x/com.i
    bm.wbpm.wle.editor.doc/topics/textsrvrest.html). If an OpenAPI
     specification doesn't contain security definitions for an
    operation that means the operation doesn't require that any
    security-related headers to be sent. And, correspondingly, if
    an OpenAPI definition comprises any security requirements, the
     runtime environment handles them accordingly. In 18.0.0.2,
    the handling of some scenarios had to be fixed.
  
    PRODUCTS AFFECTED
    IBM Business Automation Workflow
  

Problem conclusion

• A circumvention is available or will be available to temporarily
   restore the behavior that existed before 18.0.0.2 until you
  corrected the OpenAPI definition, and rediscovered your external
   REST service, as explained in the Local Fix section of this
  APAR.
  
  You can temporarily restore the behavior that existed before
  18.0.0.2 by adding the following lines to the 100Custom.xml
  file:
  
  <server>
    <external-service-rest-invocation>
      <enforce-pre18002-basic-auth-header-handling
  merge="replace">true</enforce-pre18002-basic-auth-header-handlin
  g>
    </external-service-rest-invocation>
  </server>
  
  By setting enforce-basic-auth-header to true, a basic
  authentication header is added to the request if basic
  authentication credentials are specified on the REST server or
  in the Script task even though the call operation doesn't
  specify a basic authentication security definition in the
  OpenAPI definition.
  
  By setting enforce-basic-auth-header to false, a basic
  authentication header is added only to the request if basic
  authentication security definition is specified for the
  operation in the OpenAPI definition. This behavior is the
  default and correct behavior.
  
  Use this property only temporarily.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  BUS AUTO WORKFL

• Fixed component ID

  5737H4100

Applicable component levels