APAR status
Closed as program error.
Error description
At IBM SDK 8.0.8.30, IBMXMLCryptoProvider security provider, which was previously the default, is deprecated. XML Signature secure validation mode is turned on by default for both the XMLDSigRI provider and the deprecated IBMXMLCryptoProvider provider. in WebSphere for z/OS, {webSphere_profile_directory}/properties/java.security is provided in case it is necessary to customize the properties in java.security from IBM SDK. This APAR will keep {webSphere_profile_directory}/properties/java.security current to ensure the server is secure by replacing the deprecated IBMXMLCryptoProvider provider with the new XMLDSigRI provider. Note: - For WebSphere on AIX, Linux and Windows, WebSphere use java.security from the IBM JDK 8 that is installed with WebSphere. - For WebSphere on IBM i which use IBM SDK that comes with the IBM i, please refer to "How to Customize Java Security Configuration Properties for JDKs on the IBM i OS" https://www.ibm.com/support/pages/how-customize-java-security- configuration-properties-jdks-ibm-i-os Reference: IBM SDK, Java Technology Edition Service refresh 8 https://www.ibm.com/docs/en/sdk-java-technology/8?topic=wn- service-refresh-8#security_whatsnew_sr8__fp30__title__1
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * * V8.5 on z/OS. * **************************************************************** * PROBLEM DESCRIPTION: {WebSphere_profile_dir}/properties/java * * . * * security needs to be updated to use * * XMLDSigRI provider. * **************************************************************** * RECOMMENDATION: * **************************************************************** The java.security template file ({WebSphere_profile_dir}/properties/java.security) on z/OS is still using om.ibm.xml.crypto.IBMXMLCryptoProvider at 8.5.5.26. The XMLDSigRI security provider (org.jcp.xml.dsig.internal.dom.XMLDSigRI) is now the default provider for JSR 105 services and needs to be in the provider list. The IBMXMLCryptoProvider security provider (com.ibm.xml.crypto.IBMXMLCryptoProvider), which was previously the default, is deprecated.
Problem conclusion
The IBMXMLCryptoProvider has been replaced with IBMXMLCryptoProvider provider in the {WebSphere_profile_dir}/properties/java.security. The fix for this APAR is targeted for inclusion in fix pack 8.5.5.27. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH63219
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2024-09-12
Closed date
2024-09-24
Last modified date
2024-09-24
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500
Applicable component levels
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]
Document Information
Modified date:
24 September 2024