APAR status
Closed as program error.
Error description
The issuer (iss) claim is the default realm and used as the subject realm. If a realmName claim is included in the JWT token, the realmName claim is used as the subject realm instead of the iss claim. The subject (sub) claim is used as the principal name and unique security name of the user. For example, if the JWT contains: iss="https://host/a/b/c" sub="distuser" with a distributed identity filter to map the distuser to USER1 --- RACMAP ID(USER1) LISTMAP Mapping information for user USER1: Label: User1Label Distributed Identity User Name Filter: >distuser< Registry Name: >https://host/a/b/c< -------- The parsed identity may contain a portion of the realm such as: a/b/c/distuser instead of distuser resulting in a "DISTRIBUTED IDENTITY IS NOT DEFINED" error. --------- The symptom can be confirmed with trace: *=info:com.ibm.ws.security.*=all:com.ibm.ws.webcontainer.securit y.*=all:com.ibm.oauth.*=all:com.ibm.wsspi.security.oauth20.*=all :org.apache.http.client.*=all The realm and uniqueid can be obtained from the trace by searching on: com.ibm.wsspi.security.cred.realm and com.ibm.wsspi.security.cred.uniqueId The mapping can be identified by searching on: createMappedCredential For example: com.ibm.wsspi.security.cred.realm=https://host/a/b/c com.ibm.wsspi.security.cred.uniqueId=user:https://host/a/b/c/dis tuser and a correct mapping will show the user and realm. createMappedCredential Entry distuser https://host/a/b/c WebSphere Mapped Login An incorrect mapping will show a portion of the realm appended to the user.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server Liberty * **************************************************************** * PROBLEM DESCRIPTION: RACF RACMAP filter fails to properly * * match on WSCredential realm. * **************************************************************** * RECOMMENDATION: * **************************************************************** RACF RACMAP filter fails to properly match on WSCredential realm. For example, If the JWT contains: com.ibm.wsspi.security.cred.realm= https://host/a/b/c and com.ibm.wsspi.security.cred.uniqueId= user:https://host/a/b/c/distuser with a distributed identity filter to map the distuer to USER1: --- RACMAP ID(USER1) LISTMAP Mapping information for user USER1: Label: User1Label Distributed Identity User Name Filter: >distuser< Registry Name: >https://host/a/b/c< --- The parsed identity may contain a portion of the realm such as: a/b/c/distuser instead of distuser resulting in a "DISTRIBUTED IDENTITY IS NOT DEFINED" error.
Problem conclusion
The code was reviewed and updated to address this issue. The fix for this APAR is currently targeted for inclusion in fix pack 20.0.0.8. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH34376
Reported component name
LIBERTY PROF -
Reported component ID
5655W6514
Reported release
CD0
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-02-10
Closed date
2021-02-12
Last modified date
2021-02-16
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
LIBERTY PROF -
Fixed component ID
5655W6514
Applicable component levels
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Platform":[{"code":"PF054","label":"z\/OS"}],"Version":"CD0"}]
Document Information
Modified date:
27 February 2021