PM11953: APPLICATION SECURED BY SSL IN THE WEB.XML IS REDIRECTED TO THE INCORRECT SSL PORT SPECIFIED INT THE VIRTUAL HOST ALIAS

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• An application is deployed to WebSphere secured by SSL.
  
  For example, web.xml contains:
  
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  
  The application server virtual hosts contains more than one port
  that is an SSL port.
  
  An example may look like:
  
  Virtual Hosts > default_host > Host Aliases
   *  9080
   *  9443   (SSL port - WC_defaulthost_secure)
   *  80
   *  5060
   *  5061   (SSL port - SIP_DEFAULTHOST_SECURE)
  
  Attempting to invoke the webcontainer non-SSL port 9080 for the
  application should redirect to the webconatier SSL port 9443 for
  the application.
  
  Working scenario with the example above would cause URL
  http://hostname:9080/ContextRootWAR/index.html
  to redirect to:
  https://hostname:9443/ContextRootWAR/index.html
  
  However, the webcontainer non-SSL port 9080 is redirected to a
  different SSL port 5061 listed in the virtual host alias.
  
  A failing scenario with the example above would cause URL
  http://hostname:9080/ContextRootWAR/index.html
  to redirect to:
  https://hostname:5061/ContextRootWAR/index.html
  
  causing a failure to load the SSL protected page.
  
  Enabling the trace:
  com.ibm.ws.security.web.*=all
  prior to invoking the non-SSL URL and searching on the following
  tracepoints can be used to determine port that is being
  redirected to.
  
  Trace would look like:
  -----
  Trace: 2010/03/10 20:40:40.816 01 t=8CA108 c=UNK key=P8
  (13007002)
     ThreadId: 0000002b
     FunctionName: Found HTTPS port 5061 in virtual host
  default_host
     SourceId: com.ibm.ws.security.web.WebCollaborator
     Category: FINER
     ExtendedMessage: Exit
   Trace: 2010/03/10 20:40:40.817 01 t=8CA108 c=UNK key=P8
  (13007002)
     ThreadId: 0000002b
     FunctionName: com.ibm.ws.security.web.WebCollaborator
     SourceId: com.ibm.ws.security.web.WebCollaborator
     Category: FINEST
     ExtendedMessage: Redirected to
  https://host:5061/ContextRootWAR/index.html
  -------
  

Local fix

• If other SSL ports are not being used in the virtual hosts,
  specify only one SSL port in the virtual hosts which is the
  web container SSL port.
  
  For example, port 9443 is the only SSL port in tihs example:
  
  ----
  Virtual Hosts > default_host > Host Aliases
   *  9080
   *  9443   (SSL port - WC_defaulthost_secure)
   *  80
   *  5060
  -----
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of WebSphere Application Server    *
  *                 V7.0                                         *
  ****************************************************************
  * PROBLEM DESCRIPTION: For WebSphere Application Server,       *
  *                      accessing an SSL protected Web          *
  *                      resource through the non-SSL port       *
  *                      does not redirect the request using     *
  *                      the HTTPS port.                         *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  For WebSphere Application Server, when the transport chain
  associated with the "WC_defaulthost_secure" port is removed
  and then added again, an SSL protected resource is not
  redirected using the SSL port. The first transport chain that
  contains an SSL channel and that is also in the same virtual
  host as the non-SSL port is used instead. For example, for the
  default_host virtual host,
  Virtual Hosts > default_host > Host Aliases
      * 9080
      * 9443 (SSL port - WC_defaulthost_secure)
      * 80
      * 5060
      * 5061 (SSL port - SIP_DEFAULTHOST_SECURE)
  
  the SSL port used is 5061 instead of the expected 9443 when
  redirecting URLs with the non-SSL port 9080.
  

Problem conclusion

• The security code was modified to correctly use HTTPS ports
  belonging to the Web Container when determining the SSL port
  to use for redirecting the HTTP request.
  
  APAR PM11953 is currently targeted for inclusion in Service
  Level (Fix Pack) 7.0.0.13 of WebSphere Application Server V7.0.
  
  Please refer to URL:
  //www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
  for Fix Pack availability.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

  PM11135

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  WEBSPHERE FOR Z

• Fixed component ID

  5655I3500

Applicable component levels

• R700 PSY UK61114

     UP10/10/21 P F010

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.