We are having a problem with the combination of web access, Single Sign-on and profile switching that has us completely stumped.
I apologise, I don't know how most of this works. I only work on the programs that use the profile switching facility. I don't even work on the code that calls the APIs themselves.
Our users use Single Sign-on (kerberos principle), and access applications via web pages served directly from the iSeries. The first page they see is a menu listing the pages their user profile is allowed to access.
Some of those pages use profile switching in order to be able to perform an action as profile QSYSOPR. They are switched back to their own user profile immediately afterwards.
Recently, a bug has appeared where after the user uses one of these screens, next time they try and access the web interface their menu is empty because the iSeries is still seeing the user ID as QSYSOPR.
It's like the switch back from QSYSOPR to their own user profile failed, and the error then persists across to their next login session so it's like it has corrupted the user's SSO setup in some way
The issue only affects SSO users - Users who log in with a username and password are not affected. I don't know if the switch back from QSYSOPR fails or not for non-SSO users, but if it does fail then it does not persist to their next login session.
SSO users have to be removed from SSO and re-added to restore their access.
Additionally, we have so far failed to reproduce the error on the test box.
This code has been in place for years and the issue has only just started, so our best guess is that an IBM PTF fixed a bug that our code was unknowingly depending on.
The profile switching is accomplished as follows:
1. use the QsyGetProfileHandle API to get the handle for their current user profile
2. use the QsyGenPrfTkn and QsySetToPrfTkn APIs to switch to QSYSOPR and to return a token
3. Do actions as QSYSOPR
4. use the QsySetToProfileHandle API to switch back to the original user profile, using the handle from step 1
5. use the QsyRemoveAllPrfTknsForUser API for QSYSOPR
6. Use the QsyRemovePrfTkn API for the token returned in step 2
Any help is appreciated.
I apologise, I don't know how most of this works. I only work on the programs that use the profile switching facility. I don't even work on the code that calls the APIs themselves.
Our users use Single Sign-on (kerberos principle), and access applications via web pages served directly from the iSeries. The first page they see is a menu listing the pages their user profile is allowed to access.
Some of those pages use profile switching in order to be able to perform an action as profile QSYSOPR. They are switched back to their own user profile immediately afterwards.
Recently, a bug has appeared where after the user uses one of these screens, next time they try and access the web interface their menu is empty because the iSeries is still seeing the user ID as QSYSOPR.
It's like the switch back from QSYSOPR to their own user profile failed, and the error then persists across to their next login session so it's like it has corrupted the user's SSO setup in some way
The issue only affects SSO users - Users who log in with a username and password are not affected. I don't know if the switch back from QSYSOPR fails or not for non-SSO users, but if it does fail then it does not persist to their next login session.
SSO users have to be removed from SSO and re-added to restore their access.
Additionally, we have so far failed to reproduce the error on the test box.
This code has been in place for years and the issue has only just started, so our best guess is that an IBM PTF fixed a bug that our code was unknowingly depending on.
The profile switching is accomplished as follows:
1. use the QsyGetProfileHandle API to get the handle for their current user profile
2. use the QsyGenPrfTkn and QsySetToPrfTkn APIs to switch to QSYSOPR and to return a token
3. Do actions as QSYSOPR
4. use the QsySetToProfileHandle API to switch back to the original user profile, using the handle from step 1
5. use the QsyRemoveAllPrfTknsForUser API for QSYSOPR
6. Use the QsyRemovePrfTkn API for the token returned in step 2
Any help is appreciated.
Comment