Fixes are available
PI54960:provide property to set Java security algorithm related properties
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
APAR status
Closed as program error.
Error description
WebSphere Application Server properties that will be read and then use the value to set java Security algorithm property if not already set in the java.security file.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * **************************************************************** * PROBLEM DESCRIPTION: The server needs a way to set java * * security properties * * jdk.tls.disabledAlgorithms and * * jdk.certpath.disabledAlgorithms. * **************************************************************** * RECOMMENDATION: * **************************************************************** WebSphere Application Server will set jdk.tls.disabledAlgorithms and jdk.certpath.disabledAlgorithms properties programmatically.
Problem conclusion
The JRE has started disabling algorithms that are weak or are considered vulnerable. The JRE disables these algorithms by setting them on the jdk.tls.disabledAlgorithms and jdk.certpath.disabledAlgorithms Security properties in the java.security file. The jdk.tls.disabledAgorithms property is used to disable algorithms during TLS handshaking. The jdk.certpath.disabledAlgorithms is used to disable algorithms during certification path processing. WebSphere does not modify the java.security file in the service stream. To make sure the server is at the recommended level of security WebSphere will be programmatically setting these properties. During server startup jdk.tls.disabledAlgorithms will be set to SSLv3, RC4, DH keySize < 768, MD5withRSA and jdk.certpath.disabledAlgorithms will be set to MD2, RSA keySize < 1024, MD5 programmatically. And informational message will be printed in the SystemOut.log file informing users what WebSphere is setting them to. There are 2 new WebSphere security custom properties that users can use to either customize what is set by the Security properties or to tell WebSphere to not programmatically set the properties at all. 1. The com.ibm.websphere.tls.disabledAlgorithms security custom property can either be used to tell WebSphere to set a custom list of algorithms to disable during TLS handshaking or if user do not want WebSphere to programmatically set the java Security property java.tls.disabledAlgorithms they can set com.ibm.websphere.tls.disabledAlgorithms to none. 2. The com.ibm.websphere.certpath.disabledAlgorithms security custom property can either be used to tell WebSphere to set a custom list of algorithms to disable during certification path processing or if user do not want WebSphere to programmatically set the java Security property java.certpath.disabledAlgorithms they can set com.ibm.websphere.certpath.disabledAlgorithms to none. To set a security custom property on the Admin Console go to: Security > Global security > Custom properties Select New, in the box labled Name add com.ibm.websphere.tls.disabledAlgorithms or com.ibm.websphere.certpath.disabledAlgorithms and in the box labeled Value enter either a comma separated list algorithms or none if you don't want WebSphere to set the Security properties. Apply and Save the changes. The server will need to be restarted for the properties to take effect. The fix for this APAR is currently targeted for inclusion in fix pack 7.0.0.41, 8.0.0.13, and 8.5.5.10. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PI54960
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-01-07
Closed date
2016-02-03
Last modified date
2016-04-20
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R700 PSY
UP
R800 PSY
UP
R850 PSY
UP
Document Information
Modified date:
28 April 2022