Fixes are available
8.0.0.3: WebSphere Application Server V8.0 Fix Pack 3
7.0.0.23: WebSphere Application Server V7.0 Fix Pack 23
8.0.0.4: WebSphere Application Server V8.0 Fix Pack 4
7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
8.0.0.5: WebSphere Application Server V8.0 Fix Pack 5
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
8.0.0.6: WebSphere Application Server V8.0 Fix Pack 6
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
8.0.0.7: WebSphere Application Server V8.0 Fix Pack 7
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.23: Java SDK 1.6 SR10 FP1 Cumulative Fix for WebSphere
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
APAR status
Closed as program error.
Error description
In WS-Security policy bindings, when more than one signing key information object associated with an X.509 token consumer is assigned to a single inbound signed message part, a 'Signature verification failed' error may occur.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * WS-Security enabled JAX-WS applications * **************************************************************** * PROBLEM DESCRIPTION: When more than one X.509 token * * consumer is assigned to a single * * signed message part, a CWWSS5620E * * error may occur. * **************************************************************** * RECOMMENDATION: Install a fix pack that includes this * * APAR. * **************************************************************** In WS-Security policy bindings, when more than one signing key information object that is associated with an X.509 token consumer is assigned to a single inbound signed message part, a message similar to the following may occur: CWWSS5620E: Signature verification failed: Core validity=false Signed info validity=false Signed info message='SignatureValue mismatched.' Ref[0](validity=true message='Ok.' uri='#wssecurity_signature_id_20' type='null'). This error will most likely occur when the X.509 token is not sent in the message. For instance when KEYID or X.509IssuerSerial are being used.
Problem conclusion
The WS-Security runtime caches X.509 certificates. For X.509 tokens that are not in the message, the key in the cache is the KEYID or X509IssuerSerial string. When one X.509 token consumer gets a cache hit, it then 'assumes' that the certificate found belongs to that consumer. If the consumer is for a BinarySecurityToken that is in the message, that is ok. However, if the consumer is for a certificate that has been configured on the callback handler, the token consumer may detect a cache hit for KEY1, when its callback handler is configured for KEY2. When this happens, although KEY1 was passed in the message, KEY2 will be used to verify the signature. The X.509 token consumer in the WS-Security runtime is updated to ensure that a certificate retrieved from the cache is the one that it has configured before the certificate is used. If the certificates do not match, processing will continue as if no certificate were retrieved from the cache. The fix for this APAR is currently targeted for inclusion in fix packs 7.0.0.23 and 8.0.0.3. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PM53387
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2011-12-01
Closed date
2012-01-26
Last modified date
2012-05-25
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R700 PSY
UP
R800 PSY
UP
Document Information
Modified date:
28 October 2021