PM12971: JAX-RPC WS-SECURITY STR-TRANSFORM PROCESSING IS INCORRECT

Fixes are available

APAR status

Closed as program error.

Error description

The JAX-RPC WS-Security runtime cannot properly generate or
consume signed security tokens that are signed with
STR-Transform.

The STR-Transform process must be used in order to sign custom
security tokens that do not contain the wsu:Id attribute.

Local fix

```
No work around noted at this time.
```

Problem summary

****************************************************************
* USERS AFFECTED:  IBM WebSphere Application Server V6.1 and   *
*                  V7.0 users of WS-Security enabled JAX-RPC   *
*                  web services applications and digital       *
*                  signature                                   *
****************************************************************
* PROBLEM DESCRIPTION: JAX-RPC WS-Security runtime cannot      *
*                      properly generate or consume signed     *
*                      security tokens that are signed with    *
*                      STR-Transform                           *
****************************************************************
* RECOMMENDATION:  Install a fix pack that includes this APAR. *
****************************************************************
The JAX-RPC WS-Security 1.0 runtime cannot properly generate or
consume a security token that is referenced with a
SecurityTokenReference that is signed with the STR Dereference
Transform reference option.

The STR-Transform Transform algorithm will be specified in the
Reference in the Signature element when the STR Dereference
Transform reference option is being used.  The Reference
element will point to the SecurityTokenReference for the
security token that is to be signed.

The STR-Transform process must be used in order to sign custom
security tokens that do not contain the wsu:Id attribute, or
any security token that does not appear in the message.

When the JAX-RPC runtime is configured to sign a security
token using STR-Transform, the runtime will add a wsu:Id
attribute directly to the security token and not add the
required wsse:SecurityTokenReference element.  This is not
acceptable for tokens that do not allow the wsu:Id attribute,
such as SAML tokens.

When the JAX-RPC runtime receives a
wsse:SecurityTokenReference element that is outside of the
Signature element in the SOAP security header, which is
required for a security token that is signed with
STR-Transform, an error like the following will occur:

WSEC5503E: Unknown element wsse:SecurityTokenReference in the
wsse:Security element.

The STR-Transform transform algorithm is:
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-mes
sage-security-1.0#STR-Transform

The wsse:SecurityTokenReference element is:
{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur
ity-secext-1.0.xsd}SecurityTokenReference

The wsu:Id attribute is:
{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur
ity-utility-1.0.xsd}Id

Problem conclusion

The JAX-RPC WS-Security 1.0 runtime is updated to properly
generate and consume security tokens that are signed using
STR-Transform in the following conditions:

* The security token can be referenced by a Reference element
within a wsse:SecurityTokenReference element
-or-
* The token is a SAML 1.1 or SAML 2.0 Assertion that can be
referenced by a KeyIdentifier element in the
wsse:SecurityTokenReference element.

Any token that must be referred to with a KeyIdentifier that
is not a SAML 1.1 or 2.0 Assertion is not supported.  This
includes tokens that do not appear in the message.

For the purposes of this APAR, the UsernameToken, X.509,
and LTPA tokens were those tested for
wsse:SecurityTokenReference/Reference.

The SAML 1.1 Assertion is:
{urn:oasis:names:tc:SAML:1.0:assertion}Assertion

The SAML 2.0 Assertion is:
{urn:oasis:names:tc:SAML:2.0:assertion}Assertion

This APAR only applies to the JAX-RPC WS-Security 1.0 runtime.
The JAX-RPC Draft 13 runtime was not updated.

The fix for this APAR is currently targeted for inclusion in
fix packs 6.1.0.37 and 7.0.0.17.  Please refer to the
Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PM12971
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
60Z
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-04-23
Closed date
2010-12-07
Last modified date
2010-12-07

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800

Applicable component levels

R61A PSY
UP
R61H PSY
UP
R61I PSY
UP
R61P PSY
UP
R61S PSY
UP
R61W PSY
UP
R61Z PSY
UP
R700 PSY
UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
24 October 2021

Tips

PM12971: JAX-RPC WS-SECURITY STR-TRANSFORM PROCESSING IS INCORRECT

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R61A PSY

R61H PSY

R61I PSY

R61P PSY

R61S PSY

R61W PSY

R61Z PSY

R700 PSY

Document Information

Share your feedback

Need support?