IBM Support

PI73938: DYNAMIC OUTBOUND ENDPOINT SSL CONFIGURATION DOES NOT PICK UP CORRECT HOSTNAME AND SSLCONFIG

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • DYNAMIC OUTBOUND ENDPOINT SSL CONFIGURATION IS NOT PICKING UP
    CORRECT HOSTNAME and SSLCONFIG
    Scenario as follows
    Two dynamic outbound SSL configured to same application server
    One dynamic outbound SSL uses outbound ssl to hostname
    ospproxy.ibm.com
    second dynamic outbound SSL uses outbound ssl to hostname
    proxy.ibm.com
    When the application sending outbound ssl to hostname
    ospproxy.ibm.com dynamic outbound  pickup wrong target host and
    SSL config. Hostname is not picked under predefined selection
    criteria
    Example traces shows
    JSSEHelper    >  getProperties Entry
    ""
    {com.ibm.ssl.remotePort=8443,
    com.ibm.ssl.direction=outbound,
    com.ibm.ssl.remoteHost=ospproxy.ibm.com,
    com.ibm.ssl.endPointName=WEBSERVICES_HTTP}
    SSLConfigMana 3   Protocol: *, Host: proxy.ibm.com, Port: *
    SSLConfigMana 3   Found a dynamic selection match!
    

Local fix

  • n/a
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: Dynamic SSL Outbound Configurations     *
    *                      may match domain names it should not.   *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When configuring SSL Dynamic Outbound settings, the "name"
    field is incorrectly used for partial matches. Currently, a
    name value of proxy.mycompany.com would be incorrectly
    considered a match for abcproxy.mycompany.com . While a name
    setting of mycompany.com is correctly considered a match for
    both proxy.mycompany.com and abcproxy.mycompany.com .
    A hostname consists of a series of dot qualified <labels>,
    <label>.<label>.<label> . We should never partially match a
    within a label. Some examples:
    Name=proxy.mycompany.com should not match hostname
    abcproxy.mycompany.com
    Name=company.com should not match hostname
    myhostname.mycompany.com
    Name=mycompany.com should match hostname
    myhostname.mycompany.com
    

Problem conclusion

  • Code has been updated so that partial matches within a <label>
    is not considered a match.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.0.0.14, 8.5.5.12 and 9.0.0.4.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI73938

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-12-16

  • Closed date

    2017-03-14

  • Last modified date

    2017-03-14

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R800 PSY

       UP

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
18 October 2021