IBM Support

PI80721: WEBSPHERE DEFAULT CHAINED CERTIFICATE DOESN'T HAVE DNS NAMES UNDER SUBJECT ALTERNATIVE NAME FIELD

Fixes are available

9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
WebSphere Application Server traditional 9.0.5.6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
9.0.5.9: WebSphere Application Server traditional Version 9.0.5.9
9.0.5.10: WebSphere Application Server traditional Version 9.0.5.10
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
9.0.5.11: WebSphere Application Server traditional Version 9.0.5.11

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Chrome now requires certificates to have the DNS names listed
    in the Subject Alternative Name field and ignores DNS entries
    in Subject field of a certificate
    
    Chrome requires a DNS SAN to be set to the hostname of the
    server in the request
    
    Our Websphere default chained certificate that are being
    generated do not have a DNS under  Subject Alternative Name
    entry.
    
    Note that RFC 2818 has deprecated the use of hostname matching
    via the CN entry of the subject and encouraging all CAs to use
    Subject
    Alternative Naming:
    
       If a subjectAltName extension of type dNSName is present,
    that MUST be used as the identity. Otherwise, the (most
    specific) Common Name field in the Subject field of the
    certificate MUST be used. Although    the use of the Common
    Name is existing practice, it is deprecated and
    Certification Authorities are encouraged to use the dNSName
    instead.
    

Local fix

  • create a self singed certificate with DNS under SAN
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    *                  And users of Google Chrome Browser          *
    ****************************************************************
    * PROBLEM DESCRIPTION: After upgrading to Chrome Build 58 I    *
    *                      get a                                   *
    *                      security error saying that my           *
    *                      certificate                             *
    *                      is not valid due to missing Subject     *
    *                      Alternate Name (SAN)                    *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    After upgrading to Chrome Build 58 I get a security error saying
    that my certificate is not valid due to missing Subject
    Alternate
    Name (SAN)
    

Problem conclusion

  • The code was reviewed and updated and a new custom property was
    introduce "com.ibm.websphere.security.addSANToSSLCertificate" th
    when enabled, all certificates created afterwards will include t
    following default SAN values:
    
    Email: "user@domain"
    Domain Name: <Certificate_Subject_DN_Name>
    URL: http:// <Certificate_Subject_DN_Name>
    IP Address: 127.0.0.1
    URL: http:// <Certificate_Subject_DN_Name>
    
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.5.13, 9.0.0.6.  Please refer to the Recommended
    Updates
    page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI80721

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-04-27

  • Closed date

    2017-10-02

  • Last modified date

    2017-10-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
04 May 2022