IBM Support

PI49893: Allow certificate validation to be disabled


You can track all active APARs for this component.


APAR status

  • Closed as program error.

Error description

  • Certificate validation based upon strict security from RFC5280
    may indicate errors that were previously unnoticed.

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server web        *
    *                  server plugin users                         *
    * PROBLEM DESCRIPTION: After APAR PI39126 (,            *
    *            ,, the WAS WebServer   *
    *                      Plugin uses modern defaults for         *
    *                      SSL/TLS processing. This includes       *
    *                      disabling legacy protocols, ciphers,    *
    *                      and certificate validation. This may    *
    *                      cause problems if WAS has been          *
    *                      explicitly configured to use only       *
    *                      weak/export ciphers, or has been        *
    *                      configured with a certificate chain     *
    *                      that does not meet contemporary         *
    *                      standards.                              *
    * RECOMMENDATION:                                              *
    Errors with certificates may be indicated which previously
    were not indicated. This is because strict security based upon
    RFC 5280 is now enforced by default.

Problem conclusion

  • Problems seen fall into the following certificate processing
    related categories (See RFC5280 for complete details):
    BasicConstraints extension: All certificates used to validate
    digital signatures (AKA issuers, signers, or CA's) must
    contain a BasicConstraints extension with the "criticality"
    field set to TRUE.
    CertificatePolicies extension: The CertificatePolicies
    extension must be RFC5280 conformant across the certificate
    chain. The algorithm is quite complex, but in a simplifed form
    an intermediate signer cannot assert policies not also
    asserted by its own signer.
    The certificate validation changes introduced in PI39126 can be
    disabled, by setting the WAS Plugin custom property
    "certificate_validation_strict_rfc5280=false" on the Plugin
    Custom Properties panel.
    The fix for this APAR is included in fix pack and  Please refer to the Recommended Updates page for
    delivery information:
    The custom property can be set during plugin configuration
    generation in, or but the version 7
    plugin runtime will not recognize the property (this is added
    to v7 to allow v8 or v855 configurations to be generated).
    WebSphere is required to be at the specified level for the
    custom property to be placed in the generated plugin-cfg.xml
    file. The plugin module residing on the web server MUST be at
    the specified level for the custom property to have the
    desired effect.
    The property can manually be added to the configuration
    post-generation to avoid upgrading WebSphere. If the property
    is manually added to the plugin configuration file, it must be
    placed within the "Config" tag. For example:
    <Config ... certificate_validation_strict_rfc5280="false" ... >
    (... represents other properties which may be present within
    the Config tag)

Temporary fix


APAR Information

  • APAR number


  • Reported component name


  • Reported component ID


  • Reported release


  • Status


  • PE




  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date


  • Closed date


  • Last modified date


  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name


  • Fixed component ID


Applicable component levels

  • R800 PSY


  • R850 PSY


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 April 2022