APAR status
Closed as program error.
Error description
After PI39126, certificates processed by the WAS Plugin must comply with RFC5280. It was later discovered that many local and public Certificate Authorities do not strictly comply with RFC5280. PI49893 added a custom property, certificate_validation_strict_rfc5280, that could be used to opt out (false) and accept non-RFC5280 certificates. This APAR changes the strict RFC5280 processing to be opt- in.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server web * * server plug-in users * **************************************************************** * PROBLEM DESCRIPTION: Plug-in security may fail to * * initialize if certificates are not * * RFC 5280 compliant. * **************************************************************** * RECOMMENDATION: * **************************************************************** The web server plug-in component verifies that certificates are RFC5280 compliant. Many certificate authorities do not provide compliant certificates so a custom property was provided to disable the compliance verification. If a certificate was non-compliant, the certificate needed to be corrected or the custom property had to be set to disable compliance verification.
Problem conclusion
Based upon the high number of non-compliant certificates, the default behavior of RFC5280 compliance has been altered. After applying this change, plug-in will not verify RFC5280 compliance for certificates unless the custom property certificate_validation_strict_rfc5280 is set to true in the Plugin Custom Properties. The plugin configuration must be regenerated and propagated to the web server after adding or modifying custom properties. The fix for this APAR is targeted for inclusion in fix pack 8.5.5.18 and 9.5.0.6. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH27968
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-07-30
Closed date
2020-08-05
Last modified date
2020-08-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
02 November 2021