IBM Support

PI39126: MODIFY PLUGIN TO AUTOMATICALLY VALIDATE SECURITY BASED ON CURRENT STANDARDS

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • The web server relies on gskit for SSL communications with
    some webservers. Gskit has the ability to allow an application
    to "opt in" for security enhancements without requiring
    application updates. This improves security of the component
    and reduces risks of security vulnerabilities.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server IBM HTTP   *
    *                  Server plugin users                         *
    ****************************************************************
    * PROBLEM DESCRIPTION: New security vulnerabilities can        *
    *                      require continuous updates              *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    The security library (gskit) used with plugin when using IBM
    based web servers has the ability to tune itself based upon
    known security vulnerabilities. Plugin is enhancing its use of
    the library to take advantage of this feature.
    

Problem conclusion

  • Plugin will enable the gsk vaccinate function by default. If
    you would like to opt out of this feature, add the custom
    property AutoSecurity = false to the plugin custom properties.
    It is not recommended to opt out of this feature unless you
    fully understand and accept the security exposure it may
    present.
    
    WebSphere webServer Plug-in will also enforce compliance with
    RFC 5280 (published in 2008)for its TLS certificates after
    this change is applied.
    
    At the time this APAR was first issued, IBM believed
    certificates issued by public certificate authorities were
    long-since compliant.  We have later come to learn that a number
    of certificate authorities issue certificate chains that are
    not compliant with RFC5280, specifically in the area of
    the "Certificate Policies" extension.
    
    Certificates  created automatically by the application server
    are all compliant with RFC 5280.
    
    Some self-signed certificates or
    certificates issued by locally administered certificate
    authorities may not necessarily be compliant.    The most
    common non-compliance is the omission of a "BasicConstraints"
    extension with the "critical" field set to true.  In lieu of
    replacing the non-compliant certificate, the certificate
    validation changes in PI39126 can be disabled after the
    introduction of PI49893 (8.0.0.12, 8.5.5.8). Please examine
    PI49893 if you wish to disable certificate compliance checking.
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 8.0.0.12 and 8.5.5.7.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI39126

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-04-15

  • Closed date

    2015-06-29

  • Last modified date

    2017-08-31

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R800 PSY

       UP

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 April 2022