IBM Support

PH27968: ALLOW NON-RFC5280 CERTIFICATES BY DEFAULT.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • After PI39126, certificates processed by the WAS Plugin must
    comply with RFC5280.   It was later discovered that many
    local and public Certificate Authorities do not strictly
    comply with RFC5280.
    
    PI49893 added a custom property,
    certificate_validation_strict_rfc5280, that could be used to
    opt out (false) and accept non-RFC5280 certificates.
    
    This APAR changes the strict RFC5280 processing to be opt-
    in.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server web        *
    *                  server plug-in users                        *
    ****************************************************************
    * PROBLEM DESCRIPTION: Plug-in security may fail to            *
    *                      initialize if certificates are not      *
    *                      RFC 5280 compliant.                     *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    The web server plug-in component verifies that certificates
    are RFC5280 compliant. Many certificate authorities do not
    provide compliant certificates so a custom property was
    provided to disable the compliance verification. If a
    certificate was non-compliant, the certificate needed to be
    corrected or the custom property had to be set to disable
    compliance verification.
    

Problem conclusion

  • Based upon the high number of non-compliant certificates, the
    default behavior of RFC5280 compliance has been altered. After
    applying this change, plug-in will not verify RFC5280
    compliance for certificates unless the custom property
    certificate_validation_strict_rfc5280 is set to true in the
    Plugin Custom Properties. The plugin configuration must be
    regenerated and propagated to the web server after adding or
    modifying custom properties.
    
    The fix for this APAR is targeted for inclusion in fix pack
    8.5.5.18 and 9.5.0.6. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH27968

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-07-30

  • Closed date

    2020-08-05

  • Last modified date

    2020-08-05

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850"}]

Document Information

Modified date:
14 September 2020