Fixes are available
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for AIX
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for HP-UX
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for IBM i
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Linux
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Solaris
7.0.0.13: WebSphere Application Server V7.0 Fix Pack 13 for Windows
7.0.0.13: Java SDK 1.6 SR8FP1 Cumulative Fix for WebSphere Application Server
6.1.0.35: Java SDK 1.5 SR12 FP2 Cumulative Fix for WebSphere
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for AIX
7.0.0.15: Java SDK 1.6 SR9 Cumulative Fix for WebSphere Application Server
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for HP-UX
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for IBM i
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Linux
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Solaris
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Windows
6.1.0.37: Java SDK 1.5 SR12 FP3 Cumulative Fix for WebSphere
7.0.0.17: WebSphere Application Server V7.0 Fix Pack 17
7.0.0.17: Java SDK 1.6 SR9 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.19: WebSphere Application Server V7.0 Fix Pack 19
7.0.0.21: WebSphere Application Server V7.0 Fix Pack 21
7.0.0.23: WebSphere Application Server V7.0 Fix Pack 23
7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server
7.0.0.19: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.21: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere
7.0.0.23: Java SDK 1.6 SR10 FP1 Cumulative Fix for WebSphere
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
Obtain the fix for this APAR.
APAR status
Closed as program error.
Error description
An application is deployed to WebSphere secured by SSL. For example, web.xml contains: <transport-guarantee>CONFIDENTIAL</transport-guarantee> The application server virtual hosts contains more than one port that is an SSL port. An example may look like: Virtual Hosts > default_host > Host Aliases * 9080 * 9443 (SSL port - WC_defaulthost_secure) * 80 * 5060 * 5061 (SSL port - SIP_DEFAULTHOST_SECURE) Attempting to invoke the webcontainer non-SSL port 9080 for the application should redirect to the webconatier SSL port 9443 for the application. Working scenario with the example above would cause URL http://hostname:9080/ContextRootWAR/index.html to redirect to: https://hostname:9443/ContextRootWAR/index.html However, the webcontainer non-SSL port 9080 is redirected to a different SSL port 5061 listed in the virtual host alias. A failing scenario with the example above would cause URL http://hostname:9080/ContextRootWAR/index.html to redirect to: https://hostname:5061/ContextRootWAR/index.html causing a failure to load the SSL protected page. Enabling the trace: com.ibm.ws.security.web.*=all prior to invoking the non-SSL URL and searching on the following tracepoints can be used to determine port that is being redirected to. Trace would look like: ----- Trace: 2010/03/10 20:40:40.816 01 t=8CA108 c=UNK key=P8 (13007002) ThreadId: 0000002b FunctionName: Found HTTPS port 5061 in virtual host default_host SourceId: com.ibm.ws.security.web.WebCollaborator Category: FINER ExtendedMessage: Exit Trace: 2010/03/10 20:40:40.817 01 t=8CA108 c=UNK key=P8 (13007002) ThreadId: 0000002b FunctionName: com.ibm.ws.security.web.WebCollaborator SourceId: com.ibm.ws.security.web.WebCollaborator Category: FINEST ExtendedMessage: Redirected to https://host:5061/ContextRootWAR/index.html -------
Local fix
If other SSL ports are not being used in the virtual hosts, specify only one SSL port in the virtual hosts which is the web container SSL port. For example, port 9443 is the only SSL port in tihs example: ---- Virtual Hosts > default_host > Host Aliases * 9080 * 9443 (SSL port - WC_defaulthost_secure) * 80 * 5060 -----
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server V6.1.0 * **************************************************************** * PROBLEM DESCRIPTION: For WebSphere Application Server, * * accessing an SSL protected Web * * resource through the non-SSL port * * does not redirect the request using * * the HTTPS port. * **************************************************************** * RECOMMENDATION: * **************************************************************** For WebSphere Application Server, when the transport chain associated with the "WC_defaulthost_secure" port is removed and then added again, an SSL protected resource is not redirected using the SSL port. The first transport chain that contains an SSL channel and that is also in the same virtual host as the non-SSL port is used instead. For example, for the default_host virtual host, Virtual Hosts > default_host > Host Aliases * 9080 * 9443 (SSL port - WC_defaulthost_secure) * 80 * 5060 * 5061 (SSL port - SIP_DEFAULTHOST_SECURE) the SSL port used is 5061 instead of the expected 9443 when redirecting URLs with the non-SSL port 9080.
Problem conclusion
The security code was modified to correctly use HTTPS ports belonging to the Web Container when determining the SSL port to use for redirecting the HTTP request. APAR PM11135 is currently targeted for inclusion in Service Level (Fix Pack) 6.1.0.35 of WebSphere Application Server V6.1 Please refer to URL: //www.ibm.com/support/docview.wss?rs=404&uid=swg27006970 for Fix Pack availability.
Temporary fix
Comments
APAR Information
APAR number
PM11135
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
610
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-03-30
Closed date
2010-07-27
Last modified date
2011-01-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500
Applicable component levels
R610 PSY UK62676
UP10/12/17 P F012
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
Document Information
Modified date:
25 October 2021