IBM Support

PM34128: WEB SERVICES SECURITY ERROR MAY OCCUR THROWN WHEN SAML TOKEN CONTAINS AN ISSUER'S CERTIFICATE NOT CONTAINED IN TRUSTSTORE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When a SAML token that contains an issuer signature is
    received by WS-Security, the following error may occur if the
    issuer's certificate is not contained in the trust store:
    
    javax.security.auth.login.LoginException:
    PKIXCertPathBuilderImpl could not build a valid CertPath.:
    java.security.cert.CertPathValidatorException: The revocation
    status of the certificate with subject (ST=xxx, L=xxx,
    SERIALNUMBER=xxx, CN=xxx, OU=xxx, O=xxx, C=xxx) could not be
    determined.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server V7.0 users *
    *                  of WS-Security enabled JAX-WS applications  *
    *                  and SAML                                    *
    ****************************************************************
    * PROBLEM DESCRIPTION: If the issuer's certificate is not in   *
    *                      the truststore, an error may            *
    *                      occur when WS-Security receives a       *
    *                      SAML sender-vouches token               *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When a SAML sender-vouches token is received by WS-Security,
    if the issuer's certificate within the SAML token is not in
    the trust store, the following CertPathValidatorException
    error may occur:
    
    javax.security.auth.login.LoginException:
    PKIXCertPathBuilderImpl could not build a valid CertPath.:
    java.security.cert.CertPathValidatorException: The revocation
    status of the certificate with subject (ST=xxx, L=xxx,
    SERIALNUMBER=xxx, CN=xxx, OU=xxx, O=xxx, C=xxx) could not be
    determined.
    
    This error will not occur if either of the following
    properties are set as indicated:
    
    signatureRequired=false
    trustAnySigner=true
    

Problem conclusion

  • When the WS-Security runtime invokes Java Security validate
    the issuer's X.509 certificate contained in the SAML
    sender-vouches token, the 'revocation enabled' flag is not
    turned off.  Since there is no certificate revocation
    information provided to Java Security for the validation, the
    CertPathValidatorException occurs.
    
    The WS-Security runtime is updated to turn off the 'revocation
    enabled' flag before invoking Java Security to validate the
    issuer's X.509 certificate.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 7.0.0.17.  Please refer to the Recommended Updates
    page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM34128

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2011-03-04

  • Closed date

    2011-03-29

  • Last modified date

    2011-03-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R700 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
27 October 2021