Fixes are available
8.0.0.4: WebSphere Application Server V8.0 Fix Pack 4
8.5.0.1: WebSphere Application Server V8.5 Fix Pack 1
8.0.0.5: WebSphere Application Server V8.0 Fix Pack 5
8.5.0.2: WebSphere Application Server V8.5 Fix Pack 2
8.0.0.6: WebSphere Application Server V8.0 Fix Pack 6
8.0.0.7: WebSphere Application Server V8.0 Fix Pack 7
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
APAR status
Closed as program error.
Error description
After migrating a DMGR node and one APPSERVER node from zWAS 6.1.0.37 to 8.0.0.1, the customer attempts to use the 8.0.0.1 adminconsole to display his pre-existing JSSE SSL repertoires. He finds that he can no longer view or select any RACF Certificate Labels that belong to any of their nodeagents or appservers. The adminconsole is only showing the labels for RACF certificates connected to the dmgr task userid. Here's the Digital Ring info for the DMGR CR ID XXXXMGR Ring: >WASKeyring< Certificate Label Name Cert Owner USAGE DEFAULT ------------------------ ------------ -------- ------- XXXXMGR ID(XXXXMGR) PERSONAL YES SSL AAAA Site SITE PERSONAL NO SSL WASYYY Site RACF SITE PERSONAL NO SSL WASYYY Site - G5 SITE PERSONAL NO SSL AAAA Site G5 SITE PERSONAL NO (CERTAUTH certs omitted) . Digital ring information for user PPT5MGRS: Ring: >WASKeyring< Certificate Label Name Cert Owner USAGE DEFAULT ------------------------ ------------ -------- ------- XXXXMGRS ID(XXXXMGRS) PERSONAL YES SSL WASYYY Site SITE PERSONAL NO (CERTAUTH certs omitted) . Digital ring information for user XXXXSR1: Ring: >WASKeyring< Certificate Label Name Cert Owner USAGE DEFAULT ------------------------ ------------ -------- ------- XXXXSR1 ID(XXXXSR1) PERSONAL YES SSL WASYYY Site SITE PERSONAL NO SSL TTTT Site SITE PERSONAL NO SSL AAAA Site SITE PERSONAL NO SSL WASYYY Site RACF SITE PERSONAL NO SSL WASYYY Site - G5 SITE PERSONAL NO SSL AAAA Site G5 SITE PERSONAL NO (CERTAUTH certs omitted) . Digital ring information for user XXXXSR1S: Ring: >WASKeyring< Certificate Label Name Cert Owner USAGE DEFAULT ------------------------ ------------ -------- ------- XXXXSR1S WAS ID(XXXXSR1S) PERSONAL NO SSL WASYYY Site RACF SITE PERSONAL NO XXXXSR1S_YYY ID(XXXXSR1S) PERSONAL YES LLLL TETRAHEDRON SITE SITE PERSONAL NO (CERTAUTH certs omitted) . So in the WAS admin console in the SSL repertoire that point to keyring WASKeyring I can only see the following personal certs: XXXXMGR SSL AAAA Site SSL WASYYY Site RACF SSL WASYYY Site - G5 SSL AAAA Site G5 XXXXMGRS SSL WASYYY Site . The above list of cert labels are from XXXXMGR & XXXXMGRS. There are no personal certs listed from the XXXXSR1/XXXXSR1S AppServer userids. Under WAS 6.1 I could see the cert labels from all AppServer userids in addition to the dmgr userid cert labels. The other side effect of this is that the SSL repertoire doesn't show the actual cert label that I have specified in security.xml. It just show shows the first (unselected) cert label it can see.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server V8.0 and V8.5 * **************************************************************** * PROBLEM DESCRIPTION: Administrative Console might not * * display all of certificatses in * * SAFKeyRing keystore. * **************************************************************** * RECOMMENDATION: * **************************************************************** Upon listing certiifcates in SAFKeyring, MBean calls are made for each servers to collect all of certificate information. Due to a code defect, only a MBean call to Deployment Manager is made. As a result, certificate from Deployment Manager is the only certiifcate which is listed.
Problem conclusion
With this fix, all of certificates in a specified SAFKeyring keystore are listed. APAR PM55700 is currently targeted for inclusion in Fix Packs 8.0.0.4 and 8.5.0.1 of WebSphere Application Server. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980 In addition, please refer to URL: http://www.ibm.com/support/docview.wss?rs=404&uid=swg27006970 for Fix Pack PTF information.
Temporary fix
Comments
APAR Information
APAR number
PM55700
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2012-01-11
Closed date
2012-05-10
Last modified date
2012-08-09
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500
Applicable component levels
R800 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"800","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
28 October 2021