IBM Support

PI95884: JAX-WS WS-SECURITY CANNOT USE SHA384 OR SHA512 DIGEST ALGORITHMS

Fixes are available

9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • JAX-WS WS-Security needs to be updated to support the SHA384
and SHA512 digest algorithms.

Local fix

  • N/A

Problem summary

  • ****************************************************************
* USERS AFFECTED:  IBM WebSphere Application Server users of   *
*                  WS-Security enabled JAX-WS web services     *
****************************************************************
* PROBLEM DESCRIPTION: JAX-WS WS-Security cannot process       *
*                      sha384 or sha512 digests                *
****************************************************************
* RECOMMENDATION:  Install an fix pack that contains this      *
*                  APAR.                                       *
****************************************************************
The JAX-WS WS-Security runtime uses the digest algorithms
that correspond to the algorithm suites that are configurable
in the WS-Security policy.
There are 16 algorithm suites available to use:
https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com.
ibm.websphere.nd.multiplatform.doc/ae/uwbs_wsspsal.html.
Each of the suites use either the sha1 or sha256 digest
algorithm.  It is not possible to configure an application to
emit or consume a digest with the sha384 or sha512 algorithm.
Since there are use cases that require either the sha384 or
sha512 digest algorithm, a method should be added to configure
the digest algorithm.

Problem conclusion

  • The JAX-WS WS-Security runtime is updated so that the Digest
algorithm can be customized in the bindings to be different
than what is set by the algorithm suite in the WS-Security
policy.

The following WS-Security custom property is added:
com.ibm.ws.wssecurity.dsig.DigestAlgorithm

The following values are available:

sha1 for http://www.w3.org/2000/09/xmldsig#sha1
sha256 for http://www.w3.org/2001/04/xmlenc#sha256
sha384 for http://www.w3.org/2001/04/xmlenc#sha384
sha512 for http://www.w3.org/2001/04/xmlenc#sha512

You can configure the
com.ibm.ws.wssecurity.dsig.DigestAlgorithm custom property
from either the outbound signing information or inbound
signing information.  To configure
com.ibm.ws.wssecurity.dsig.DigestAlgorithm, complete the
following steps in the admin console:

* Click Services > Service clients or Service providers
* Click the service_name > binding_name
* Click WS-Security >  Authentication and protection
* Under either Request message signature and encryption
protection or Response message signature and encryption
protection, click the signature_message_part_reference.
* Add or update the com.ibm.ws.wssecurity.dsig.DigestAlgorithm
custom property with one of the values shown above.
* Click OK
* Save

You can specify either the short name of the digest algorithm,
such as sha512, or the full name, such as
http://www.w3.org/2001/04/xmlenc#sha512.
However, if you use a full name, it still must be one of the
four supported algorithms listed above.

The com.ibm.ws.wssecurity.dsig.SignatureAlgorithm custom
property is also updated so that it can also take the full
name of its supported algorithms.


The fix for this APAR is currently targeted for inclusion in
fix pack 8.5.5.15 and 9.0.0.9.  Please refer to the Recommended
Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PI95884
    • 

  • Reported component name
    WEBS APP SERV N
    • 

  • Reported component ID
    5724H8800
    • 

  • Reported release
    850
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2018-03-28
    • 

  • Closed date
    2018-06-08
    • 

  • Last modified date
    2018-06-08
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBS APP SERV N
    • 

  • Fixed component ID
    5724H8800
    • 



Applicable component levels


    

  • R850  PSY
       UP
    • 

  • R900  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            02 November 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback