APAR status
Closed as new function.
Error description
The OpenID Connect (OIDC) Trust Association Interceptor (TAI) cannot process encrypted JWT (JWE) or ID tokens.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * * and the OIDC TAI * **************************************************************** * PROBLEM DESCRIPTION: The OIDC TAI cannot process encrypted * * JWT * * or ID tokens. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** The OIDC TAI cannot process encrypted JWT or ID tokens.
Problem conclusion
Starting in 8.5.5.23 and 9.0.5.13, the OpenID Connect Trust Association Interceptor can process encrypted JSON Web Tokens (JWTs). Encrypted JWTs can be used with both the traditional OpenID Connect Relying Party and JWT Authentication. When using the OIDC RP, an encrypted JWT can be the ID token, access token, or both. The following OIDC TAI custom properties are added to support encrypted JWTs: provider_<id>.keyStore provider_<id>.decryptAlias provider_<id>.decryptKeyPassword ================================ provider_(id).keyStore Specifies the keystore from which to obtain the decrypting key that is specified on the provider_(id).decryptAlias property. If this property is not specified, the default keystore is used. On a single server, the default keystore is NodeDefaultKeyStore. Otherwise, it is CellDefaultKeyStore. This property has, for example, the following values: myKeyStoreRef name=myKeyStoreRef managementScope=(cell):myCell:(node):myNode ================================ provider_(id).decryptAlias Specifies the alias of the keyEntry in the keystore that is used to decrypt an encrypted JWT or ID token. This property is required if the TAI receives encrypted JWTs. Providing a value for this property does not make the TAI reject unencrypted JWTs. This property does not have a default value. ================================ provider_(id).decryptKeyPassword Specifies the password for the decrypting key that is specified on the provider_(id).decryptAlias property. This property can be specified in plain text or it can be XOR encoded, for example {xor}CDo9Hgw= This property does not have a default value. The fix for this APAR is targeted for inclusion in fix pack 8.5.5.23 and 9.0.5.13. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH36335
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-04-15
Closed date
2022-06-17
Last modified date
2022-06-17
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5"}]
Document Information
Modified date:
18 June 2022