Fixes are available
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
8.5.5.2: WebSphere Application Server V8.5.5 Fix Pack 2
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
8.5.5.3: WebSphere Application Server V8.5.5 Fix Pack 3
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.5.5.4: WebSphere Application Server V8.5.5 Fix Pack 4
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.5.5.5: WebSphere Application Server V8.5.5 Fix Pack 5
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
Obtain the fix for this APAR.
APAR status
Closed as program error.
Error description
When Hardware Crypto is used with administrative authentication set to RSA (which is the default in Base Appserver environment only) administrative tasks such as app deployments etc., fail. The Log shows a message like this: Trace: 2013/02/14 18:32:12.221 01 t=AAF108 c=UNK key=S2 (13007002) ThreadId: 0000001e FunctionName: com.ibm.ws.security.auth.rsatoken.RSAPropagationManager SourceId: com.ibm.ws.security.auth.rsatoken.RSAPropagationManager Category: SEVERE ExtendedMessage: BBOO0220E: JSAS0803E: The received admin RSA token failed validation. The exception message is: The signature of the rsa token was not verified. The respective ffdc log entry is: extracell_extranode_WebSphere_Portal_W64IP11_STC05256_0000068800 000004_c380c38_13.02.14_18.32.11.9104745420026184471791.txt [2/14/13 18:32:11:910 CET] FFDC Exception:javax.crypto.BadPaddingException SourceId:com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.a esDecryptBytes ProbeId:919 Reporter:com.ibm.ws.security.auth.rsatoken.RSAPropagationToken@1 df11df1 javax.crypto.BadPaddingException: Given final block not properly padded at com.ibm.crypto.provider.AESCipher.engineDoFinal(Unknown Source) at com.ibm.crypto.provider.AESCipher.engineDoFinal(Unknown Source) at javax.crypto.Cipher.doFinal(Unknown Source) at com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.aesDecrypt Bytes(RSAPropagationToken.java:952) at com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.decryptAnd VerifyRSAToken(RSAPropagationToken.java:719) at com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.readRSAPro pagationTokenV1Bytes(RSAPropagationToken.java:387) at com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.readBytes( RSAPropagationToken.java:298) at com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.<init>(RSA PropagationToken.java:116) at com.ibm.ws.security.auth.rsatoken.RSAPropagationManager.validate RSAPropagationToken(RSAPropagationManager.java:296) at com.ibm.ISecurityLocalObjectTokenBaseImpl.WSSecurityContextAdmin RSAPropImpl.acceptSecContext(WSSecurityContextAdminRSAPropImpl.j ava:342) at com.ibm.ISecurityLocalObjectTokenBaseImpl.WSSecurityContextAdmin RSAPropImpl.acceptSecContext(WSSecurityContextAdminRSAPropImpl.j ava:246) at com.ibm.ISecurityLocalObjectTokenBaseImpl.WSSecurityContextAdmin RSAPropImpl.acceptSecContext(WSSecurityContextAdminRSAPropImpl.j ava:238) at com.ibm.ws.management.connector.soap.SOAPConnector.tokenBasedAut h(SOAPConnector.java:584) at com.ibm.ws.management.connector.soap.SOAPConnector.service(SOAPC onnector.java:216) at com.ibm.ws.management.connector.soap.SOAPConnection.handleReques t(SOAPConnection.java:65) at com.ibm.ws.http.HttpConnection.readAndHandleRequest(HttpConnecti on.java:733) at com.ibm.ws.http.HttpConnection.run(HttpConnection.java:522) at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1613)
Local fix
Use LTPA instead of RSA
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server V7.0, V8.0 and V8.5 * **************************************************************** * PROBLEM DESCRIPTION: RSA tokens fail to be * * decrypted/encrypted when using some * * Hardware Crypto cards. * **************************************************************** * RECOMMENDATION: * **************************************************************** Some hardware crypto cards are not compatible with the RSA software keys. resulting in "The signature of the rsa token was not verified."
Problem conclusion
Security Custom Property com.ibm.ws.security.rsa.forceSoftwareJCEProviderForRSA has been added to utilize the default software JCE provider, instead of IBMJCECCA if set to "true". APAR PM86382 requires changes to documentation. NOTE: Periodically, we refresh the documentation on our Web site, so the changes might have been made before you read this text. To access the latest on-line documentation, go to the product library page at: http://www.ibm.com/software/webservers/appserv/library The following changes to the WebSphere Application Server Version 7.0 Information Center will be made available in December, 2013. Topic "Security custom properties" will be updated to include the description of the following custom property: com.ibm.ws.security.rsa.forceSoftwareJCEProviderForRSA Use the com.ibm.ws.security.rsa.forceSoftwareJCEProviderForRSA custom property to force RSA token validation to be done in software. Some hardware crypto cards are not compatible with the RSA tokens. If you receive the message "The signature of the rsa token was not verified", you might need to use the LTPA authentication mechanism instead of RSA tokens for security validation. To change your security validation settings, in the administrative console: - Click Global security > Administrative authentication", and unselect "RSA token". - Select "Only use the active application authentication mechanism". - Add the com.ibm.ws.security.rsa.forceSoftwareJCEProviderForRSA custom property to your security settings and set it to "true". When this property is set to "true", the default software JCE provider, instead of IBMJCECCA, is used for security validation. Default: false APAR PM86382 is currently targeted for inclusion in WebSphere Application Server Fix Packs 7.0.0.31, 8.0.0.8, and 8.5.5.2 of WebSphere Application Server. Please refer to URL: //www.ibm.com/support/docview.wss?rs=404&uid=swg27006970 for Fix Pack availability.
Temporary fix
Comments
APAR Information
APAR number
PM86382
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-04-04
Closed date
2013-07-30
Last modified date
2014-02-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500
Applicable component levels
R700 PSY UI13725
UP14/01/11 P F401
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
Document Information
Modified date:
28 April 2022