IBM Support

PM25277: CIPHER SETTINGS NOT POSTED IN WAS.ENV FROM COM_IBM_DAEMON_CLAIMSECURITYCIPHERSUITELIST

Fixes are available

7.0.0.19: WebSphere Application Server V7.0 Fix Pack 19
8.0.0.1: WebSphere Application Server V8.0 Fix Pack 1
7.0.0.21: WebSphere Application Server V7.0 Fix Pack 21
8.0.0.2: WebSphere Application Server V8.0 Fix Pack 2
8.0.0.3: WebSphere Application Server V8.0 Fix Pack 3
7.0.0.23: WebSphere Application Server V7.0 Fix Pack 23
8.0.0.4: WebSphere Application Server V8.0 Fix Pack 4
7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
8.0.0.5: WebSphere Application Server V8.0 Fix Pack 5
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
8.0.0.6: WebSphere Application Server V8.0 Fix Pack 6
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
8.0.0.7: WebSphere Application Server V8.0 Fix Pack 7
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server
7.0.0.19: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.21: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere
7.0.0.23: Java SDK 1.6 SR10 FP1 Cumulative Fix for WebSphere
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • 1. The cipher list selected at panel "SSL certificate and key
management > SSL configurations > WAS00Manager/DefaultIIOPSSL
> Quality of protection (QoP) settings" is saved to XML only,
It must also be set to property
com_ibm_DAEMON_claimSecurityCipherSuiteList
using a list of SSSL's 2-character values and placed in
was.env.


2. The native code must be modified to set the cipher suite list
using com_ibm_DAEMON_claimSecurityCipherSuiteList.


3. Native code changes are needed to safely recreate the SSSL
sockets if "Dynamically update the run time when SSL
configuration changes occur " is selected.

When items 1 and 2 are fixed, this is automatic for
new sockets.
Old sockets might just need to be closed so that the clients
reconnect and new sockets are created according to the updated
socket attributes.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server V7.0                                 *
****************************************************************
* PROBLEM DESCRIPTION: Changes to SSSL setting may not         *
*                      take effect in the Daemon.              *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
WebSphere Application Server 6.1 and 7.0 did not have the
capability to change the SSSL security level setting to
something other than default value.

When a user changed the setting it was written to
security.xml, but did not take effect in Z Daemon.

    



Problem conclusion


    

  • The code was changed to allow the default SSSL security level
to be changed to a value other than LOW. The value can be
changed through the Administration console or wsadmin.

Users should be aware of SSSL behavior. SSSL is used for orb
related communication. Therefore, when a client makes an RMI
call to server on an lpar, it must first talk to the Daemon.
The Daemon will return to the calling client the orb handle to
the requested server.

This means that the client and Daemon must use the same
security level. Because of this, this means that the client,
Daemon, and server must all use the same security level in
order for this communication to take place.

APAR PM25277 is currently targeted for inclusion in Service
Level (Fix Pack) 7.0.0.19 of WebSphere Application Server V7.0.

Please refer to URL:
//www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
for Fix Pack availability.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PM25277
    • 

  • Reported component name
    WEBSPHERE FOR Z
    • 

  • Reported component ID
    5655I3500
    • 

  • Reported release
    700
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2010-10-26
    • 

  • Closed date
    2011-04-12
    • 

  • Last modified date
    2011-10-04
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
PM42425
    

    • 



Fix information


    

  • Fixed component name
    WEBSPHERE FOR Z
    • 

  • Fixed component ID
    5655I3500
    • 



Applicable component levels


    

  • R700  PSY  UK71280
       UP11/09/10  P  F109
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            24 October 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback