APAR status
Closed as program error.
Error description
When the KeyInfo in a SAMLResponse sent to the SAML Web SSO TAI contains a valid X509Data or KeyValue element in addition to a KeyName element, but the KeyName element is first, the signature validation will fail. An error similar to the following is emitted: [3/18/20 10:27:00:094 CDT] 000000c7 ACSTrustAssoc 3 SAMLResponse could not be verified. [com.ibm.wsspi.wssecurity.core.SoapSecurityException] The following may be observed in a SAML trace: [3/18/20 10:27:00:078 CDT] 000000c7 ConfigUtil < getMessage2(String)returns String [CWWSS7074E: The key is not retrieved. The exception is:] Exit [3/18/20 10:27:00:078 CDT] 000000c7 SAMLSignature 3 NULL_MESSAGE_KEY_PASSED
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server and SAML Web SSO * **************************************************************** * PROBLEM DESCRIPTION: The SAML Web SSO TAI fails signature * * validation if KeyName is first in * * KeyInfo * **************************************************************** * RECOMMENDATION: Install a fix pack that includes this * * APAR. * **************************************************************** When the KeyInfo in a SAMLResponse sent to the SAML Web SSO TAI contains a valid X509Data or KeyValue element, and the signature is valid, the signature verification is expected to be pass. When the KeyInfo in a SAMLResponse contains only a KeyName element, the signature verification is expected to fail. When the KeyInfo contains multiple elements, the runtime is expected to pick up the first supported element and use it to process the signature. When the KeyInfo contains multiple elements, but the first one is not supported, in this case KeyName, the TAI is not retrieving a key and it is emittig an error: [3/18/20 10:27:00:094 CDT] 000000c7 ACSTrustAssoc 3 SAMLResponse could not be verified. [com.ibm.wsspi.wssecurity.core.SoapSecurityException] Below is an example of a KeyInfo that contains more than one element with the KeyName first: <ds:KeyInfo> <ds:KeyName>CN=company.com, O=Company, L=City, ST=State, C=US</ds:KeyName> <ds:X509Data><ds:X509Certificate>.....</ds:X509Certificate></ds: X509Data> </ds:KeyInfo>
Problem conclusion
The SAML Web SSO TAI is updated to skip the unsupported elements in the KeyInfo. If there is at least one supported element in the KeyInfo, a key will be retrieved. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.18 and 9.0.5.5. For more information, see 'Recommended Updates for WebSphere Application Server': http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH24501
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-04-16
Closed date
2020-05-29
Last modified date
2020-05-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
02 November 2021