VOOZH about

URL: https://www.ibm.com/support/pages/apar/IJ49091

⇱ IJ49091: RFE: KERBEROS PRINCIPAL NAME CANONICALIZATION AND CROSS-REALM REFERRALS (RFC 6806, SECTION 8)

IJ49091: RFE: KERBEROS PRINCIPAL NAME CANONICALIZATION AND CROSS-REALM REFERRALS (RFC 6806, SECTION 8)

APAR status

  • Closed as program error.

Error description

  • Error Message: N/A
.
Stack Trace: N/A
.

Local fix

  • N/A

Problem summary

  • Support for Kerberos Cross-Realm Referrals (RFC 6806) is added:
The Kerberos client is enhanced with support for principal name
canonicalization and cross-realm referrals, as defined by the
RFC6806 protocol extension. The Kerberos client can now take
advantage of more dynamic environment configurations, and does
not necessarily need to know in advance how to reach the realm
of a target principal (user or service). Support is enabled by
default and the maximum number of referral hops allowed is set
to 5. To disable it, set the
com.ibm.security.krb5.disableReferrals security, or system
property to false. To configure a custom maximum number of
referral hops, set the com.ibm.security.krb5.maxReferrals
security, or system property to any positive value.
Note: The com.ibm.security.krb5.disableReferrals and
com.ibm.security.krb5.maxReferrals Java? Generic Security
Service (JGSS) configuration options can be set statically in
the java.security file as a security property, or dynamically at
runtime as a system property.
Support for the canonicalize flag in krb5.conf is added:
The Kerberos implementation now supports the canonicalize flag
in the krb5.conf file. When set to true, RFC6806 name
canonicalization is requested by clients in TGT requests to KDC
services (AS protocol). Otherwise, by default it is not
requested.
Support for Cross-Realm Kerberos MS-SFU Extensions is added:
The support for the Kerberos MS-SFU extensions is now extended
to cross-realm environments through the addition of
resource-based constrained delegation support. By using the
Kerberos cross-realm referrals enhancement, the S4U2Self and
S4U2Proxy extensions might be used to impersonate user and
service principals that are located on different realms.

Problem conclusion

  • The files affected by this APAR are: ibmjgssprovider.jar (Java
8: build_20230719-53).
The associated Hursley RTC Problem Report is: PR149485, and
PR149488.
The associated Austin Git issue is: Issue #35 for IBMJGSS.
The associated Austin APAR issue is: N/A.
.
This APAR will be fixed in the following Releases:
.
IBM SDK, Java Technology Edition
 8 SR8 FP15 (8.0.8.15)
.
Contact your IBM Product's Service Team for these Service
Refreshes and Fix Packs.
For those running stand-alone, information about the available
maintenance can be found at:
 https://www.ibm.com/support/pages/java-sdk

Temporary fix

  • N/A

Comments



APAR Information




    

  • APAR number
    IJ49091
    • 

  • Reported component name
    JAVA CLASS LIBS
    • 

  • Reported component ID
    620700130
    • 

  • Reported release
    800
    • 

  • Status
    CLOSED PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2023-11-03
    • 

  • Closed date
    2023-11-03
    • 

  • Last modified date
    2023-11-03
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    JAVA CLASS LIBS
    • 

  • Fixed component ID
    620700130
    • 



Applicable component levels







 
 
 
 

 [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
 

 

 
 
 

 

 

 

 

 

 
Document Information


 

 

 Modified date:
 

 04 November 2023