IBM Support

PI59831: SUPPORT FOR USING LOCAL X509 PUBLIC CERTIFICATE FOR SIGNATURE VERIFICATION IN OIDC.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The OpenID Connect Relying Party TAI should support X.509
    asymmetric signature with something other than a JSON Web Key.
    There should be some way to use an X.509 public certificate
    available on the local system.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: Add support for local X.509 public      *
    *                      certificate for signature validation    *
    *                      in OpenID Connect Relying Party TAI     *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    With the OpenID Connect (OIDC) Relying Party, you have no
    option to use X.509 asymmetric signature if you do not have a
    JSON Web Key (JWK).
    

Problem conclusion

  • An option to use a local public certificate for signature
    validation is added to the OIDC Relying Party TAI.
    
    The following OIDC TAI custom property is added:
    
    provider_<id>.signVerifyAlias
    
    This property specifies the alias of the certificate in the
    centralized trust store that will be used to verify the
    signature from the OP.  On a single server, the trust
    store is the NodeDefaultTrustStore, otherwise, it is the
    CellDefaultTrustStore.
    
    This property must be set if the signatureAlgorithm custom
    property is set to RS256 and you do not set the
    provider_<id>.jwkEndpointUrl custom property to obtain the
    OP's JSON Web Key (JWK).
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 8.0.0.12 and 8.5.5.10.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    
    Keywords: IBMWL3WSS, OIDC
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI59831

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-03-28

  • Closed date

    2016-04-26

  • Last modified date

    2016-07-11

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R800 PSY

       UP

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 April 2022