Fixes are available
PM12971; 6.1.0.35: jax-rpc ws-security str-transform processing is incorrect
6.1.0.37: Java SDK 1.5 SR12 FP3 Cumulative Fix for WebSphere
7.0.0.17: Java SDK 1.6 SR9 FP1 Cumulative Fix for WebSphere Application Server
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server
7.0.0.19: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.21: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere
7.0.0.23: Java SDK 1.6 SR10 FP1 Cumulative Fix for WebSphere
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
APAR status
Closed as program error.
Error description
The JAX-RPC WS-Security runtime cannot properly generate or consume signed security tokens that are signed with STR-Transform. The STR-Transform process must be used in order to sign custom security tokens that do not contain the wsu:Id attribute.
Local fix
No work around noted at this time.
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server V6.1 and * * V7.0 users of WS-Security enabled JAX-RPC * * web services applications and digital * * signature * **************************************************************** * PROBLEM DESCRIPTION: JAX-RPC WS-Security runtime cannot * * properly generate or consume signed * * security tokens that are signed with * * STR-Transform * **************************************************************** * RECOMMENDATION: Install a fix pack that includes this APAR. * **************************************************************** The JAX-RPC WS-Security 1.0 runtime cannot properly generate or consume a security token that is referenced with a SecurityTokenReference that is signed with the STR Dereference Transform reference option. The STR-Transform Transform algorithm will be specified in the Reference in the Signature element when the STR Dereference Transform reference option is being used. The Reference element will point to the SecurityTokenReference for the security token that is to be signed. The STR-Transform process must be used in order to sign custom security tokens that do not contain the wsu:Id attribute, or any security token that does not appear in the message. When the JAX-RPC runtime is configured to sign a security token using STR-Transform, the runtime will add a wsu:Id attribute directly to the security token and not add the required wsse:SecurityTokenReference element. This is not acceptable for tokens that do not allow the wsu:Id attribute, such as SAML tokens. When the JAX-RPC runtime receives a wsse:SecurityTokenReference element that is outside of the Signature element in the SOAP security header, which is required for a security token that is signed with STR-Transform, an error like the following will occur: WSEC5503E: Unknown element wsse:SecurityTokenReference in the wsse:Security element. The STR-Transform transform algorithm is: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-mes sage-security-1.0#STR-Transform The wsse:SecurityTokenReference element is: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur ity-secext-1.0.xsd}SecurityTokenReference The wsu:Id attribute is: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur ity-utility-1.0.xsd}Id
Problem conclusion
The JAX-RPC WS-Security 1.0 runtime is updated to properly generate and consume security tokens that are signed using STR-Transform in the following conditions: * The security token can be referenced by a Reference element within a wsse:SecurityTokenReference element -or- * The token is a SAML 1.1 or SAML 2.0 Assertion that can be referenced by a KeyIdentifier element in the wsse:SecurityTokenReference element. Any token that must be referred to with a KeyIdentifier that is not a SAML 1.1 or 2.0 Assertion is not supported. This includes tokens that do not appear in the message. For the purposes of this APAR, the UsernameToken, X.509, and LTPA tokens were those tested for wsse:SecurityTokenReference/Reference. The SAML 1.1 Assertion is: {urn:oasis:names:tc:SAML:1.0:assertion}Assertion The SAML 2.0 Assertion is: {urn:oasis:names:tc:SAML:2.0:assertion}Assertion This APAR only applies to the JAX-RPC WS-Security 1.0 runtime. The JAX-RPC Draft 13 runtime was not updated. The fix for this APAR is currently targeted for inclusion in fix packs 6.1.0.37 and 7.0.0.17. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PM12971
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
60Z
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-04-23
Closed date
2010-12-07
Last modified date
2010-12-07
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
R61A PSY
UP
R61H PSY
UP
R61I PSY
UP
R61P PSY
UP
R61S PSY
UP
R61W PSY
UP
R61Z PSY
UP
R700 PSY
UP
Document Information
Modified date:
24 October 2021