Fixes are available
APAR status
Closed as new function.
Error description
The file-based and database repository in federated repositories are initialized to use SHA-1. This is a rather insecure algorithm. The repositories should be updated so the repositories support, and default to, more complex hashing algorithms.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server federated file-based and database * * repositories * **************************************************************** * PROBLEM DESCRIPTION: The file and database repositories * * default to SHA-1, which is insecure. * **************************************************************** * RECOMMENDATION: * **************************************************************** The file and database repositories default to SHA-1, which is insecure.
Problem conclusion
The database and file repositories were updated to support, and default to PBKDF2WithHmacSHA1 with larger key and salt sizes, as well as a larger number of hashing iterations. These parameters are configurable either in the web console or by using wsadmin commands. When using the database repository with a database that is shared across multiple servers, care should be taken to not use the new algorithms when all servers using the database are not up-level from the fix. Doing so could result in all down-level servers failing authentication for users whose passwords are hashed with the new algorithm. The fix for this APAR is currently targeted for inclusion in fix pack 9.0.5.1 and 8.5.5.17. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH18467
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-10-25
Closed date
2019-10-25
Last modified date
2019-10-25
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
R850 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
02 November 2021