Fixes are available
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
APAR status
Closed as new function.
Error description
In JAX-WS WS-Security, you cannot generate or consume a UsernameToken with passwords of type PasswordDigest. Because of user registry constraints, the runtime itself cannot support consuming passwords of type PasswordDigest, but an administrator should be allowed to introduce a custom login module that will do the authentication. The runtime also does not emit UsernameTokens with passwords of type PasswordDigest or allow you to create a UsernameToken with the GenericSecurityTokenFactory APIs that use PasswordDigest.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * WS-Security enabled JAX-WS web services * * applications and UsernameToken * **************************************************************** * PROBLEM DESCRIPTION: JAX-WS WS-Security should generate * * and consume UsernameTokens with * * PasswordType of PasswordDigest * **************************************************************** * RECOMMENDATION: Install a fix pack that contains this * * APAR. * **************************************************************** The JAX-WS WS-Security runtime only accepts and emits UsernameTokens with a PasswordType of http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- username -token-profile-1.0#PasswordText. If the PasswordType is http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- username -token-profile-1.0#PasswordDigest, the token is rejected. You also cannot emit tokens with PasswordType of PasswordDigest. The runtime should be able to emit tokens with a PasswordType of PasswordDigest and accept PasswordDigest if a custom login module is in place.
Problem conclusion
The JAX-WS WS-Security run time is updated to support PasswordDigest. To emit a UsernameToken with a PasswordType of PasswordDigest, set the following custom property on the UsernameToken callback handler: com.ibm.wsspi.wssecurity.token.username.emitPasswordDigest=true You can also create a UsernameToken with a PasswordType of PasswordDigest using a new com.ibm.websphere.wssecurity.wssapi.token.GenericSecurityTokenFa ctory API: /** * Create a fully-populated UsernameToken with a username * and password with support for timestamp, nonce, and * passwordDigest password type. * * The password stored on the UsernameToken object will be * in clear text regardless of the passwordDigest setting. Only * the XML string is affected by the passwordDigest setting. * * @param username username for the UsernameToken element * @param password password for the UsernameToken element. * Null for no password. * @param useTimestamp true=add timestamp, false=no timestamp * @param addNonce true=add nonce, false=no nonce * @param passwordDigest true=PasswordType=PasswordDigest, * false=PasswordType=PasswordText * @return A fully-populated <code>UsernameToken</code> */ public abstract UsernameToken getFullUsernameToken(String username, char[] password, boolean useTimestamp, boolean addNonce, boolean passwordDigest) throws LoginException; You can consume a UsernameToken with a PasswordType of PasswordDigest only if custom code is in place. You have two choices with this implementation: 1) Use a custom callback handler 1a) Create a custom class that implements javax.security.auth.callback.CallbackHandler and make it available to the provider application. 1b) The callback handler will be passed javax.security.auth.callback.NameCallback and javax.security.auth.callback.PasswordCallback objects. 1c) In the PasswordCallback, set the plain-text password that corresponds to the username retrieved from NameCallback.getName() * If an error occurs while retrieving the password, throw an IOException. For instance, if the user name is not recognized. 1d) In the WS-Security bindings for the provider application, in the UsernameToken consumer callback handler, set the following custom property to the class name of the custom callback handler: com.ibm.wsspi.wssecurity.token.UsernameToken.digestPasswordCallb ackHandler 1e) At runtime, the UNTConsumeLoginModule will do the following: * Retrieve the plain-text password from the custom callback handler. * Calculate the digest of the plain-text password using the Timestamp and Nonce in the token (if they exist). * Compare the digest of the plain-text password against the digested password in the token. ** If the comparison fails, the token will be rejected. ** If the comparison is successful, the password on the UsernameToken object will be set to the plain-text password and used later if required. * Check the registry using the username/plain-text password. ** If you don't want to check the registry, be sure to set com.ibm.wsspi.wssecurity.token.UsernameToken.disableUserRegistry Check=true on the UsernameToken callback handler. * If a caller configuration exists for the UsernameToken, the LoginProcessor will check the registry for the username/plain-text password unless a custom login module is used to bypass the registry check. See the following article for more information: https://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com. ibm.websphere.nd.doc/ae/twbs_config_wssec_caller_no_reg.html 2) Implement a JAAS login module to validate the UsernameToken containing the digested password. 2a) Implement a UsernameToken authentication JAAS login module. See the following document for more information: http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.i bm.websphere.nd.doc/ae/twbs_replace_authmethod_usernametoken.htm l 2b) In the login module, validate the digested password. New APIs have been added to the com.ibm.websphere.wssecurity.wssapi.WSSUtilFactory interface to help: public abstract String digestPassword(String nonce, String created, char [] password) throws LoginException; public abstract String digestPassword(byte[] nonce, java.util.Date created, char [] password) throws LoginException; There are methods in the UsernameToken interface that you can use to obtain the values for the nonce (getNonce) and created (getCreatedTime): http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.i bm.websphere.javadoc.doc/web/apidocs/com/ibm/websphere/wssecurit y/wssapi/token/UsernameToken.html You can also use the verifyDigestedPassword method in the WSSUtilFactory interface to have the UsernameToken object do the digest calculation and comparision itself: public abstract boolean verifyDigestedPassword(UsernameToken unt, char [] expectedPassword) throws LoginException; /** * Calculates a password digest string. * * This method calculates a password digest string that can be * used with the UsernameToken #PasswordDigest Password Type * * @param nonce UsernameToken nonce value in bytes * @param created UsernameToken created date * @return the password digest string calculated from the input * values */ public abstract String digestPassword(byte[] nonce, java.util.Date created, char [] password) throws LoginException; /** * Calculates a password digest string. * * This method calculates a password digest string that can be * used with the UsernameToken #PasswordDigest Password Type * * @param nonce UsernameToken nonce value, base-64 encoded * @param created UsernameToken created date in UTC String * format (as it appears in the token XML) * @return the password digest string calculated from the input * values */ public abstract String digestPassword(String nonce, String created, char [] password) throws LoginException; /** * Verifies a digested password on a UsernameToken object. * * This method will verify that the comparison password is the * same as the password used to make the digested password on * the UsernameToken object. * This is done by calculating the digest value for the * comparison password using the nonce and created data in the * token, then comparing it to the digested password on the * UsernameToken. * * This method can only be used with UsernameTokens that have * been consumed by a token consumer (UNTConsumeLoginModule or * GenericIssuedTokenConsumeLoginModule). * If a UsernameToken was created with a * GenericSecurityTokenFactory.getFullUsernameToken method, * the password in the token object (not the XML) will * be in clear text regardless of the password digest setting. * In this case, this method will return false unless both * passwords are empty. * * @param unt UsernameToken containing a digested password * @param expectedPassword Password to compare * @return true if the digested value of the comparison * password equals the password on the unt object, otherwise * false */ public abstract boolean verifyDigestedPassword(UsernameToken unt, char [] expectedPassword) throws LoginException; The fix for this APAR is currently targeted for inclusion in fix packs 7.0.0.41, 8.0.0.12, and 8.5.5.8. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980 Keywords: IBMWL3WSS, WSSEC
Temporary fix
Comments
APAR Information
APAR number
PI45840
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-07-28
Closed date
2015-09-16
Last modified date
2015-09-16
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
R700 PSY
UP
R800 PSY
UP
R850 PSY
UP
Document Information
Modified date:
27 April 2022