PI38151: THROW EXCEPTION IF RECEIVE UNSUPPORTED KEYINFO IN SAML

Fixes are available

APAR status

Closed as program error.

Error description

Although the main wssecurity runtime supports many KeyInfo
types in a signature, the SAML runtime only supports a subset.
A usable exception should be thrown whan a KeyInfo is received
that is not supported.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  IBM WebSphere Application Server            *
*                  administrators of WS-Security enabled web   *
*                  services applications and SAML              *
****************************************************************
* PROBLEM DESCRIPTION: A usable error should be emitted when   *
*                      a KeyInfo that is not valid is in a     *
*                      SAML assertion                          *
****************************************************************
* RECOMMENDATION:  Install a fix pack that contains this       *
*                  APAR.                                       *
****************************************************************
The SAML runtime processes SAML assertions for both
WS-Security and SAML Web Single Sign-On (SSO).  When the SAML
runtime encounters a KeyInfo in the assertion that it cannot
process, a message similar to the following may be emitted.
[7/29/15 14:18:23:629 CDT] 00000020 WebAuthentica E
SECJ0126E: Trust Association failed during validation. The
exception is
com.ibm.websphere.security.WebTrustAssociationFailedException:
com.ibm.wsspi.wssecurity.core.SoapSecurityException:
security.wssecurity.WSEC7074E
This error is not helpful for determining the cause of the
failure.  More information is required.

Problem conclusion

The SAML runtime is updated to issue more useful errors when
it cannot process a KeyInfo element.  The new messages will
follow the CWSSS7074E message that is now properly evaluated
from security.wssecurity.WSEC7074E.

CWWSS7074E: The key is not retrieved. The exception is:
com.ibm.wsspi.wssecurity.core.SoapSecurityException:

CWSML7025E: The [{0}] sub-element of the KeyInfo element in
the Security Assertion Markup Language (SAML) assertion is not
supported.  The supported elements are [X509Data, KeyName,
KeyValue].

CWSML7026E: The [{0}] sub-element of the X509Data element in
the Security Assertion Markup Language (SAML) assertion is not
supported.  The supported elements are [X509Certificate,
X509IssuerSerial, X509SubjectName, X509SKI].

CWSML7027E: The SecurityTokenReference element in the KeyInfo
element in the Security Assertion Markup Language (SAML)
assertion contains a sub-element that is not supported: [{0}].
 The supported sub-elements are [X509Data, KeyName, KeyValue].

CWSML7028E: The evaluated value for the KeyInfo element in the
Security Assertion Markup Language (SAML) assertion does not
match the key defined in the SAML the configuration: [{0}].

CWSML7029E: An X.509 certificate was not obtained from the
KeyInfo element in the Security Assertion Markup Language
(SAML) assertion, so trust cannot be evaluated.  Either use a
KeyInfo method that yields a usable X.509 certificate or turn
off trust validation.  The supported methods are [X509Data,
KeyName].

The fix for this APAR is currently targeted for inclusion in
fix packs 7.0.0.39, 8.0.0.12, and 8.5.5.8.  Please refer to
the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Keywords: IBMWL3WSS, WSSEC, SAMLWSSO, SAMLWSSEC

Temporary fix

Comments

APAR Information

APAR number
PI38151
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-04-01
Closed date
2015-08-17
Last modified date
2015-09-24

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800

Applicable component levels

R700 PSY
UP
R800 PSY
UP
R850 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 April 2022

Tips

PI38151: THROW EXCEPTION IF RECEIVE UNSUPPORTED KEYINFO IN SAML

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R700 PSY

R800 PSY

R850 PSY

Document Information

Share your feedback

Need support?