PK84629: WS-SECURITY BLIND TRUST CONFIGURATION RESULTS IN AN ERROR

Fixes are available

APAR status

Closed as program error.

Error description

When a WS-Security enabled JAX-WS service provider is
configured for blind trust, all service requests to the
provider are rejected with the following error in the SOAP
response:

CWWSS7283E: The caller
[com.ibm.ws.wssecurity.confimpl.PrivateConsumerConfig$CallerConf
Impl(jaasConfig=[system.wss.caller],
jaasConfigProperties=[{}], callbackHandler=[null],
useIdentityAssertion=[false], trustAnyTrustedIdentity=[true],
callerIdentity=[http://docs.oasis-open.org/wss/2004/01/oasis-200
401-wss-username-token-profile-1.0#UsernameToken],
trustedIdentity=[null], requiredSigningPartReference=[null],
order=[1])] does not have a matching protection or supporting
token in the policy.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  IBM WebSphere Application Server V7.0 users *
*                  of WS-Security enabled JAX-WS web services  *
****************************************************************
* PROBLEM DESCRIPTION: When a WS-Security enabled JAX-WS web   *
*                      service is configured for blind         *
*                      trust, all service requests are         *
*                      rejected.                               *
****************************************************************
* RECOMMENDATION:  Apply a fix pack that contains this APAR.   *
****************************************************************
When a WS-Security enabled JAX-WS service provider is
configured for blind trust, the provider's policy set is not
loaded properly and all service requests to the provider
are rejected.

The following statement can be found in trace.log:

  Unable to process inbound SOAP message.  PolicySet not
loaded properly.

A message similar to the following can be found in trace.log
or an FFDC log:

CWWSS7283E: The caller
[com.ibm.ws.wssecurity.confimpl.PrivateConsumerConfig$CallerConf
Impl(jaasConfig=[system.wss.caller],
jaasConfigProperties=[{}], callbackHandler=[null],
useIdentityAssertion=[false], trustAnyTrustedIdentity=[true],
callerIdentity=[http://docs.oasis-open.org/wss/2004/01/oasis-200
401-wss-username-token-profile-1.0#UsernameToken],
trustedIdentity=[null], requiredSigningPartReference=[null],
order=[1])] does not have a matching protection or supporting
token in the policy.
  at
com.ibm.wsspi.wssecurity.core.SoapSecurityException.format
(SoapSecurityException.java:77)
  at
com.ibm.ws.wssecurity.handler.PolicyInboundConfig.init
(PolicyInboundConfig.java:3093)
  at
com.ibm.ws.wssecurity.handler.PolicyInboundConfig.<init>
(PolicyInboundConfig.java:235)
  at
com.ibm.ws.wssecurity.handler.WSSecurityBindingLoaderImpl.
loadCustom(WSSecurityBindingLoaderImpl.java:375)
  at
com.ibm.ws.policyset.runtime.BindingAggregator.getCustomBinding
(BindingAggregator.java:334)

The CWWSS7283E message will be returned in the SOAP response
to the consumer application.

A WS-Security blind trust binding configuration for a service
provider consists of a UsernameToken consumer with the
com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed=true
property specified on the callback handler.  A caller config
would exist for the UsernameToken that has 'User identity
assertion' checked, but no 'Trusted identity local part' or
'Trusted identity namespace URI' indicated.

With this configuration, the WS-Security runtime should accept
UsernameTokens that do not include a password; no associated
trust token is required as would be in a 'normal' identity
assertion scenario.  The runtime will validate that the
Username in the UsernameToken exists in the user registry and
obtain the corresponding WebSphere credentials for it.  If the
Username in the UsernameToken does not exist in the user
registry, an LoginException should occur.

Problem conclusion

The WS-Security policy set validator was updated to recognize
the blind trust configuration.  A CWWSS7283E error will no
longer occur when blind trust is configured.

The fix for this APAR is currently targeted for inclusion in
fix pack 7.0.0.5.  Please refer to the Recommended Updates
page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PK84629
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-04-14
Closed date
2009-06-24
Last modified date
2009-06-24

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800

Applicable component levels

R700 PSY
UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
24 October 2021

Tips

PK84629: WS-SECURITY BLIND TRUST CONFIGURATION RESULTS IN AN ERROR

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R700 PSY

Document Information

Share your feedback

Need support?