Fixes are available
7.0.0.3: WebSphere Application Server V7.0 Fix Pack 3 for IBM i
7.0.0.3: WebSphere Application Server V7.0 Fix Pack 3 for AIX
7.0.0.3: WebSphere Application Server V7.0 Fix Pack 3 for HP-UX
7.0.0.1: WebSphere Application Server V7.0 Fix Pack 1 for AIX
7.0.0.3: Java SDK 1.6 SR4 Cumulative Fix for WebSphere Application Server
7.0.0.1: WebSphere Application Server V7.0 Fix Pack 1 for Windows
7.0.0.3: WebSphere Application Server V7.0 Fix Pack 3 for Solaris
7.0.0.1: WebSphere Application Server V7.0 Fix Pack 1 for HP-UX
7.0.0.1: WebSphere Application Server V7.0 Fix Pack 1 for Linux
7.0.0.3: WebSphere Application Server V7.0 Fix Pack 3 for Linux
7.0.0.1: WebSphere Application Server V7.0 Fix Pack 1 for Solaris
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for AIX
7.0.0.3: WebSphere Application Server V7.0 Fix Pack 3 for Windows
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for IBM i
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for Windows
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for HP-UX
7.0.0.5: Java SDK 1.6 SR5 Cumulative Fix for WebSphere Application Server
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for Solaris
7.0.0.5: WebSphere Application Server V7.0 Fix Pack 5 for Linux
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for IBM i
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for AIX
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for Windows
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for HP-UX
7.0.0.7: Java SDK 1.6 SR6 Cumulative Fix for WebSphere Application Server
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for Solaris
7.0.0.7: WebSphere Application Server V7.0 Fix Pack 7 for Linux
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for IBM i
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for Windows
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for AIX
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for HP-UX
7.0.0.9: Java SDK 1.6 SR7 Cumulative Fix for WebSphere Application Server
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for Solaris
7.0.0.9: WebSphere Application Server V7.0 Fix Pack 9 for Linux
PM06566; 6.1.0.29: The WS-Security runtime is experiencing processing problems w
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for IBM i
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Windows
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for HP-UX
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for AIX
7.0.0.11: Java SDK 1.6 SR7 Cumulative Fix for WebSphere Application Server
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Solaris
7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Linux
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for AIX
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for HP-UX
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for IBM i
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Linux
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Solaris
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Windows
7.0.0.13: Java SDK 1.6 SR8FP1 Cumulative Fix for WebSphere Application Server
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for AIX
7.0.0.15: Java SDK 1.6 SR9 Cumulative Fix for WebSphere Application Server
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for HP-UX
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for IBM i
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Linux
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Solaris
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Windows
7.0.0.17: WebSphere Application Server V7.0 Fix Pack 17
7.0.0.17: Java SDK 1.6 SR9 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.19: WebSphere Application Server V7.0 Fix Pack 19
7.0.0.21: WebSphere Application Server V7.0 Fix Pack 21
7.0.0.1: Java SDK 1.6 SR3 Cumulative Fix for WebSphere Application Server
7.0.0.23: WebSphere Application Server V7.0 Fix Pack 23
7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
7.0.0.19: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.21: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere
7.0.0.23: Java SDK 1.6 SR10 FP1 Cumulative Fix for WebSphere
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
APAR status
Closed as program error.
Error description
Oasis Web Services Security (WSS) specifies faultstrings and faultcodes to be used for specific security errors, but it does not require implementations to use them. It even goes so far as to say that that implementations may elect not to return errors at all because the implementation may decide that returning a security error reveals too much information about the security framework to the consumer. Consider the WebSphere generated faults attached below. They are raised by WebSphere JAX-RPC and JAX-WS services. Suppose a service provider uses WebSphere JAX-RPC and then upgrades to WebSphere JAX-WS. The consumers of that service provider might be correctly checking the faultcode to determine if a security error occurred and taking specific action on that faultcode. But when the service provider upgrades to WebSphere JAX-WS, the service provider will then return a different faultcode and faultstring for the same security errors. This is effectively a contract change, which should not happen with an implementation upgrade, and the client code will no longer operate as before. WebSphere 6.1 (JAX-RPC) - FailedAuthentication =============== ... <soapenv:Fault xmlns:soapenv="http://schemas.xmlsoap.org/soap/ envelope/"> <faultcode xmlns:p55="http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-wssecurity-secext-1.0.xsd">p55:FailedAuthent ication</faultcode> <faultstring>com.ibm.wsspi.wssecurity.SoapSecurityException: WSEC6521E: Login failed. The exception is : javax.security.auth .login.LoginException: WSEC6690E: Failed to check username [cn=websphee,ou=people,o=ibm,c=us] and password in the UserRegsitry: UserRegistryProcessor.checkRegistry()=false </faultstring> ... WebSphere 6.1 (JAX-WS) - Server.securityException ======= ... <soapenv:Fault xmlns:axis2ns2="http://schemas.xmlsoap.org/ soap/envelope/"> <faultcode>axis2ns2:Server.securityException</faultcode> <faultstring>CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: CWWSS7062E: Failed to check username [cn=websphee,ou=people, o=ibm,c=us] and password in the UserRegsitry: WSSUserRegistryProcessor.checkRegistry()=false</faultstring> ...
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: WebSphere Application Server users of * * WS-Security enabled JAX-WS service providers* **************************************************************** * PROBLEM DESCRIPTION: WS-Security for JAX-WS applications * * is returning non-standard fault codes * **************************************************************** * RECOMMENDATION: Install a fixpack containing this APAR * **************************************************************** WS-Security for JAX-WS applications is returning fault codes that don't conform to the Oasis Web Services Security (WSS) specification. This presents a problem when a service provider was originally implemented in JAX-RPC, then migrated to JAX-WS. Client applications may be relying on the WSS standard fault codes that were being returned by the JAX-RPC WS-Security runtime, but they are not being returned by the JAX-WS WS-Security runtime. For instance, a <faultcode>axis2ns2:Server.securityException</faultcode> fault code may be returned instead of a <faultcode>{http://docs.oasis-open.org/wss/2004/01/oasis-200401- wss-wssecurity-secext-1.0.xsd}FailedAuthentication</faultcode> fault code.
Problem conclusion
The JAX-WS WS-Security runtime was updated to return Oasis Web Services Security standard fault codes. The WebSphere Application Server version 7 code was updated to always return the standard WSS fault codes. The WebSphere Application version 6.1 Feature Pack for Web Services code was updated to only return WSS standard fault codes when the following WS-Security custom property is set: com.ibm.wsspi.wssecurity.login.useStandardFaultCodes=true The property can be set to true or false. The default value is false. In the WS-Security bindings, this property can be set on the Custom Properties page. You can find the Custom Properties page in the custom bindings for an application or in the WS-Security default binding as follows: Services->Policy sets->Default policy set bindings->WS-Security->Custom properties This property can be set in the "Inbound Custom Properties" or the "Inbound and Outbound Custom Properties". The fix for this APAR is currently targeted for inclusion in fixpack 6.1.0.23 and 7.0.0.1. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PK72440
Reported component name
WEBSERVIC FEATU
Reported component ID
5724J0850
Reported release
610
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2008-09-18
Closed date
2008-11-17
Last modified date
2008-11-17
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSERVIC FEATU
Fixed component ID
5724J0850
Applicable component levels
R610 PSY
UP
Document Information
Modified date:
23 October 2021