IBM Support

PH31154: XOR ENCODING KEYSTOREPASSWORDS AND TRUSTSTOREPASSWORDS USED IN DATASOURCE CUSTOM PROPERTIES LEAD TO SSLHANDSHAKE ERRORS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When setting up a datasource to use SSL for the communication
    with a backend database system like Oracle DB and xor encypted
    passwords are used for the property name "keyStorePassword" and
    "trustStorePassword", the SSLHandshake may fail, because the
    passwords are not decrpted correctly.
    
    In the resouces.xml file there are configuration settings like:
    
    <resourceProperties xmi:id="J2EEResourceProperty_1603422700597"
    name="keyStorePassword" type="java.lang.String"
    value="{xor}************"/>
    
    ...
    
    <resourceProperties xmi:id="J2EEResourceProperty_1603422700655"
    name="trustStorePassword" type="java.lang.String"
    value="{xor}************"/>
    
    
    A possible error is:
    [10/29/20 17:32:45:655 SGT] 0000007c DSConfigHelpe 3 Exception
    java.sql.SQLRecoverableException: IO Error: The Network Adapter
    could not establish the connection DSRA0010E: SQL State = 08006,
    Error Code = 17,002
    at
    oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:489)
    at
    oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.
    java:553)
    ...
    

Local fix

  • Use plain text passwords is a possible workaround
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server using encrypted custom Datasource    *
    *                  properties                                  *
    ****************************************************************
    * PROBLEM DESCRIPTION: Custom datasource properties that       *
    *                      contained password as part of the       *
    *                      custom property namee is not            *
    *                      decrypted.                              *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    SSLHandshake may fail, because custom property
    passwords are not decrypted avoind SSL handshake failures.
    

Problem conclusion

  • Custom datasource properties that contain password as part of
    the name are now decrypted before being used.
    
    The fix for this APAR is targeted for inclusion in fix pack
    8.5.5.20 and 9.0.5.8. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH31154

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-11-03

  • Closed date

    2021-04-07

  • Last modified date

    2021-04-07

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900"}]

Document Information

Modified date:
08 April 2021