Fixes are available
7.0.0.17: Java SDK 1.6 SR9 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.19: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.21: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere
7.0.0.23: Java SDK 1.6 SR10 FP1 Cumulative Fix for WebSphere
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
APAR status
Closed as program error.
Error description
When a SAML token that contains an issuer signature is received by WS-Security, the following error may occur if the issuer's certificate is not contained in the trust store: javax.security.auth.login.LoginException: PKIXCertPathBuilderImpl could not build a valid CertPath.: java.security.cert.CertPathValidatorException: The revocation status of the certificate with subject (ST=xxx, L=xxx, SERIALNUMBER=xxx, CN=xxx, OU=xxx, O=xxx, C=xxx) could not be determined.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server V7.0 users * * of WS-Security enabled JAX-WS applications * * and SAML * **************************************************************** * PROBLEM DESCRIPTION: If the issuer's certificate is not in * * the truststore, an error may * * occur when WS-Security receives a * * SAML sender-vouches token * **************************************************************** * RECOMMENDATION: * **************************************************************** When a SAML sender-vouches token is received by WS-Security, if the issuer's certificate within the SAML token is not in the trust store, the following CertPathValidatorException error may occur: javax.security.auth.login.LoginException: PKIXCertPathBuilderImpl could not build a valid CertPath.: java.security.cert.CertPathValidatorException: The revocation status of the certificate with subject (ST=xxx, L=xxx, SERIALNUMBER=xxx, CN=xxx, OU=xxx, O=xxx, C=xxx) could not be determined. This error will not occur if either of the following properties are set as indicated: signatureRequired=false trustAnySigner=true
Problem conclusion
When the WS-Security runtime invokes Java Security validate the issuer's X.509 certificate contained in the SAML sender-vouches token, the 'revocation enabled' flag is not turned off. Since there is no certificate revocation information provided to Java Security for the validation, the CertPathValidatorException occurs. The WS-Security runtime is updated to turn off the 'revocation enabled' flag before invoking Java Security to validate the issuer's X.509 certificate. The fix for this APAR is currently targeted for inclusion in fix pack 7.0.0.17. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PM34128
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2011-03-04
Closed date
2011-03-29
Last modified date
2011-03-30
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
R700 PSY
UP
Document Information
Modified date:
27 October 2021