APAR status
Closed as program error.
Error description
WCT - Profile Management Tool (WebSphere Customization Toolkit) needs to be modified to improve clarity of what it means to select option "Generate certificate authority (CA)" on the SSL Customization panel. If the check box is checked (default), WCT will generate RACF commands to create self-signed certificate chain. This allows WAS to have a complete configuration and servers to start successfully without additional manual steps. If the check box is unchecked, the user is expected to provide a valid CA certificate (ex. 3rd party certificate). The RACF generated certificate is a self-signed certificate chain and is not recommended for production use. At any point, the default config can be updated to use 3rd party certificates. Some customers reported audit failures if self-signed certificates are used.
Local fix
If needed, the certificates can be updated per IBM documentation.
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * * V8.5, V9.0 for zOS * **************************************************************** * PROBLEM DESCRIPTION: WebSphere Customization Toolkit needs * * to * * clarify what type of certificate is * * generated by default. * **************************************************************** * RECOMMENDATION: If a valid certificate authority (CA) * * certificate is required, one must be * * provided * * by the user. * **************************************************************** WebSphere Customization Toolkit needs to be modified to improve clarity of what it means to select option "Generate certificate authority (CA)" on the SSL Customization panel. If the check box is checked (default), WCT will generate RACF commands to create self-signed certificate chain. This allows WebSphere Application Server to have a complete configuration and servers to start successfully without additional manual steps. If the check box is unchecked, the user is expected to provide a valid CA certificate (ex. 3rd party certificate). The RACF generated certificate is a self-signed certificate chain and might not recommended for production use. At any point, the default config can be updated to use 3rd party certificates. Some customers reported audit failures if self-signed certificates are used.
Problem conclusion
On the SSL Customization panel, modified the option "Generate certificate authority (CA) certificate" to "Generate a self- signed certificate chain" to avoid any confusion that a CA certificate will be generated by default. The fix for this APAR is targeted for inclusion in fix pack 8.5.5.22 and 9.0.5.12. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH41012
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-10-01
Closed date
2022-05-18
Last modified date
2022-05-18
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850"}]
Document Information
Modified date:
19 May 2022