IBM Support

IJ22800: WEBSPHERE FAILS TO SUCCESSFULLY VALIDATE A CERTIFICATE CHAIN USING THE CERTPATH SECURITY COMPONENT

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: CWWSS5514E: An exception while processing
    WS-Security message:
    com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS6521E:
    The Login failed because of an exception:
    javax.security.auth.login.LoginException:
    com.ibm.security.cert.IBMCertPathBuilderException: unable to
    find valid certification path to requested target.
    .
    Stack Trace:
    com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS6521E:
    The Login failed because of an exception:
    javax.security.auth.login.LoginException:
    com.ibm.security.cert.IBMCertPathBuilderException: unable to
    find valid certification path to requested target
            at
    com.ibm.wsspi.wssecurity.core.SoapSecurityException.format(SoapS
    ecurityException.java:138)
            at
    com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer.getS
    oapSecurityException(CommonTokenConsumer.java:592)
            at
    com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer.invo
    ke(CommonTokenConsumer.java:431)
            at
    com.ibm.ws.wssecurity.core.WSSConsumer.callTokenConsumer(WSSCons
    umer.java:2563)
            at
    com.ibm.ws.wssecurity.core.WSSConsumer.callTokenConsumer(WSSCons
    umer.java:2382)
            at
    com.ibm.ws.wssecurity.core.WSSConsumer.invoke(WSSConsumer.java:8
    21)
            at
    com.ibm.ws.wssecurity.handler.WSSecurityConsumerBase.invoke(WSSe
    curityConsumerBase.java:110)
            at
    com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler._invoke(
    WSSecurityConsumerHandler.java:537)
            at
    com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler.access$1
    00(WSSecurityConsumerHandler.java:127)
            at
    com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1.run(WS
    SecurityConsumerHandler.java:191)
            at
    com.ibm.ws.security.context.ContextImpl.runWith(ContextImpl.java
    :363)
            at
    com.ibm.ws.wssecurity.platform.websphere.auth.WSSContextImpl.run
    With(WSSContextImpl.java:66)
            at
    com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$2.run(WS
    SecurityConsumerHandler.java:197)
            at
    java.security.AccessController.doPrivileged(AccessController.jav
    a:734)
            at
    com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler.invoke(W
    SSecurityConsumerHandler.java:195)
            at
    org.apache.axis2.handlers.AbstractHandler.invoke_stage2(Abstract
    Handler.java:133)
            at
    org.apache.axis2.engine.Phase.invokeHandler(Phase.java:343)
            at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
            at
    org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:372)
            at
    org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:199)
            at
    org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPo
    stRequest(HTTPTransportUtils.java:172)
            at
    com.ibm.ws.websvcs.transport.http.WASAxis2Servlet.doPost(WASAxis
    2Servlet.java:1632)
            at
    javax.servlet.http.HttpServlet.service(HttpServlet.java:595)
            at
    javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
            at
    com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWr
    apper.java:1233)
            at
    com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(Ser
    vletWrapper.java:782)
            at
    com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(Ser
    vletWrapper.java:481)
            at
    com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest
    (ServletWrapperImpl.java:178)
            at
    com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters
    (WebAppFilterManager.java:1114)
            at
    com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:
    4047)
            at
    com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.j
    ava:304)
            at
    com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.
    java:1016)
            at
    com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContai
    ner.java:1817)
            at
    com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLin
    k.java:213)
            at
    com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscr
    imination(HttpInboundLink.java:463)
            at
    com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRe
    quest(HttpInboundLink.java:530)
            at
    com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequ
    est(HttpInboundLink.java:316)
            at
    com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpI
    nboundLink.java:287)
            at
    com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sen
    dToDiscriminators(NewConnectionInitialReadCallback.java:214)
            at
    com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.com
    plete(NewConnectionInitialReadCallback.java:113)
            at
    com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureComp
    leted(AioReadCompletionListener.java:175)
            at
    com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyn
    cFuture.java:217)
            at
    com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncC
    hannelFuture.java:161)
            at
    com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
            at
    com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
            at
    com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHand
    ler.java:775)
            at
    com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
            at
    com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1892)
    Caused by: javax.security.auth.login.LoginException:
    com.ibm.security.cert.IBMCertPathBuilderException: unable to
    find valid certification path to requested target
            at
    com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule.v
    alidateX509(X509ConsumeLoginModule.java:1361)
            at
    com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule.p
    rocessElement(X509ConsumeLoginModule.java:1167)
            at
    com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule.l
    ogin(X509ConsumeLoginModule.java:321)
            at
    com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer.invo
    ke(CommonTokenConsumer.java:324)
            ... 45 more
    Caused by: com.ibm.security.cert.IBMCertPathBuilderException:
    unable to find valid certification path to requested target
            at
    com.ibm.security.cert.SunCertPathBuilder.buildCertPath(SunCertPa
    thBuilder.java:165)
            at
    com.ibm.security.cert.SunCertPathBuilder.build(SunCertPathBuilde
    r.java:129)
            at
    com.ibm.security.cert.SunCertPathBuilder.engineBuild(SunCertPath
    Builder.java:124)
            at
    java.security.cert.CertPathBuilder.build(CertPathBuilder.java:29
    2)
            at
    com.ibm.ws.wssecurity.util.CertificateUtil.buildCertPath(Certifi
    cateUtil.java:1163)
            at
    com.ibm.ws.wssecurity.util.CertificateUtil.validateX509Certifica
    te(CertificateUtil.java:991)
            at
    com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule.v
    alidateX509(X509ConsumeLoginModule.java:1337)
            ... 48 more
    Caused by: java.security.cert.CertPathValidatorException: Cannot
    find the responder's certificate (set using the OCSP security
    properties).
            at
    com.ibm.security.cert.RevocationChecker.getResponderCert(Revocat
    ionChecker.java:296)
            at
    com.ibm.security.cert.RevocationChecker.getResponderCert(Revocat
    ionChecker.java:240)
            at
    com.ibm.security.cert.RevocationChecker.getResponderCert(Revocat
    ionChecker.java:216)
            at
    com.ibm.security.cert.RevocationChecker.init(RevocationChecker.j
    ava:105)
            at
    com.ibm.security.cert.RevocationChecker.<init>(RevocationChecker
    .java:94)
            at
    com.ibm.security.cert.SunCertPathBuilder.depthFirstSearchForward
    (SunCertPathBuilder.java:393)
            at
    com.ibm.security.cert.SunCertPathBuilder.depthFirstSearchForward
    (SunCertPathBuilder.java:530)
            at
    com.ibm.security.cert.SunCertPathBuilder.buildForward(SunCertPat
    hBuilder.java:223)
            at
    com.ibm.security.cert.SunCertPathBuilder.buildCertPath(SunCertPa
    thBuilder.java:158)
            ... 54 more
    .
    

Local fix

  • If using the OCSP Security properties found within the
    java.security file, then ensure the values specified have
    meaningful values.  The commented out values found within the
    java.security file are not meaningful.  They are illustrative
    only.
    

Problem summary

  • The failing test cases were using the the OCSP Security
    properties shown below.  The value of each was the same as the
    illustrative value found within the java.security file.  These
    values were never meant to be used.
       ocsp.responderURL=http://ocsp.example.net:80
       ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
       ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
       ocsp.responderCertSerialNumber=2A:FF:00
    

Problem conclusion

  • Defensive logic has been added to the CerPath provider
    (ibmcertpathprovider.jar) to help protect against invalid OCSP
    Security property settings such as the one described.
    The affected jar file is:  ibmcertpathprovider.jar
    The associated Hursley RTC Problem Report is:   143043
    The associated Austin Git issue is Issue#16 for the CertPath
    component.
    JVMs affected include:  Java 8.0
    The fix was delivered for  Java 8.0 sr6 fp7 (cr20_01_u2).
    The build level of the ibmcertpathprovider.jar delivered for
    Java 8.0 is 20200214-60.
    .
    This APAR will be fixed in the following Java Releases:
       8    SR6 FP7   (8.0.6.7)
    .
    Contact your IBM Product's Service Team for these Service
    Refreshes and Fix Packs.
    For those running stand-alone, information about the available
    Service Refreshes and Fix Packs can be found at:
               https://www.ibm.com/developerworks/java/jdk/
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ22800

  • Reported component name

    SECURITY

  • Reported component ID

    620700125

  • Reported release

    270

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-02-14

  • Closed date

    2020-02-28

  • Last modified date

    2020-02-28

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    SECURITY

  • Fixed component ID

    620700125

Applicable component levels

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
07 December 2020