IBM Support

PI79275: JAX-RS 2.0 Client calls fail when ssl-1.0 feature is enabled without any SSL configuration.

Fixes are available

17.0.0.2: WebSphere Application Server Liberty 17.0.0.2
17.0.0.3: WebSphere Application Server Liberty 17.0.0.3
17.0.0.4: WebSphere Application Server Liberty 17.0.0.4
18.0.0.1: WebSphere Application Server Liberty 18.0.0.1
18.0.0.2: WebSphere Application Server Liberty 18.0.0.2
18.0.0.3: WebSphere Application Server Liberty 18.0.0.3
18.0.0.4: WebSphere Application Server Liberty 18.0.0.4
19.0.0.1: WebSphere Application Server Liberty 19.0.0.1
19.0.0.2: WebSphere Application Server Liberty 19.0.0.2
19.0.0.3: WebSphere Application Server Liberty 19.0.0.3
19.0.0.4: WebSphere Application Server Liberty 19.0.0.4
19.0.0.5: WebSphere Application Server Liberty 19.0.0.5
19.0.0.6: WebSphere Application Server Liberty 19.0.0.6
19.0.0.7: WebSphere Application Server Liberty 19.0.0.7
19.0.0.8: WebSphere Application Server Liberty 19.0.0.8
19.0.0.9: WebSphere Application Server Liberty 19.0.0.9
19.0.0.10: WebSphere Application Server Liberty 19.0.0.10
19.0.0.11: WebSphere Application Server Liberty 19.0.0.11
19.0.0.12: WebSphere Application Server Liberty 19.0.0.12
20.0.0.1: WebSphere Application Server Liberty 20.0.0.1
20.0.0.2: WebSphere Application Server Liberty 20.0.0.2
20.0.0.3: WebSphere Application Server Liberty 20.0.0.3
20.0.0.4: WebSphere Application Server Liberty 20.0.0.4
20.0.0.5: WebSphere Application Server Liberty 20.0.0.5
20.0.0.6: WebSphere Application Server Liberty 20.0.0.6
20.0.0.7: WebSphere Application Server Liberty 20.0.0.7
20.0.0.8: WebSphere Application Server Liberty 20.0.0.8
20.0.0.9: WebSphere Application Server Liberty 20.0.0.9
20.0.0.10: WebSphere Application Server Liberty 20.0.0.10
20.0.0.11: WebSphere Application Server Liberty 20.0.0.11
20.0.0.12: WebSphere Application Server Liberty 20.0.0.12

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • In WebSphere Liberty 17.0.0.1, if a user attempts to invoke
    a remote HTTPS
    service using the JAX-RS 2.0 client APIs, and they have the
    ssl-1.0 feature
    enabled in server configuration, but do not have any SSL
    configuration, then
    the invocation may fail, and the user may see a warning in
    the logs like this:
    
    [3/14/17 13:42:55:957 CDT] 00000035
    m.ibm.ws.jaxrs.2.0.common:1.0.16.cl17012017
    0227-0220(id=83)] W Interceptor for
    {https://testserver.internal.ibm.com}WebCli
    ent has thrown exception, unwinding now
    org.apache.cxf.interceptor.Fault: Could not send Message.
    at
    org.apache.cxf.interceptor.MessageSenderInterceptor$MessageS
    enderEnd
    ingInterceptor.handleMessage(MessageSenderInterceptor.java:6
    4)
    ...
        at java.lang.Thread.run(Thread.java:745)
    Caused by: java.io.IOException: IOException invoking
    https://asset-websphere.ib
    m.com: SSLSocketFactory creation fails as the SSL
    configuration reference "null
    " is invalid.
    at
    sun.reflect.NativeConstructorAccessorImpl.newInstance0(Nativ
    e Method
    ...
    at
    org.apache.cxf.interceptor.MessageSenderInterceptor$MessageS
    enderEnd
    ingInterceptor.handleMessage(MessageSenderInterceptor.java:6
    2)
        ... 58 more
    Caused by: java.io.IOException: SSLSocketFactory creation
    fails as the SSL conf
    iguration reference "null" is invalid.
    at
    com.ibm.ws.jaxrs20.appsecurity.security.JaxRsProxySSLSocketF
    actory.c
    reateSocket(JaxRsProxySSLSocketFactory.java:80)
    ...
    at
    org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
    m.close(
    HTTPConduit.java:1348)
        ... 61 more
    
    This occurs because the JAX-RS framework in the Liberty
    server is unable to
    find the SSL configuration, since none is specified.  In
    previous releases of
    WebSphere Liberty, the JAX-RS framework would use the
    default configuration as
    provided by the JVM.
     
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server Liberty - JAX-RS                     *
    ****************************************************************
    * PROBLEM DESCRIPTION: JAX-RS 2.0 Client calls fail when ssl-  *
    *                      1.0 feature is enabled without any SSL  *
    *                      configuration.                          *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    In WebSphere Liberty 17.0.0.1, if a user attempts to invoke a
    remote HTTPS
    service using the JAX-RS 2.0 client APIs, and they have the ssl-
    1.0 feature
    enabled in server configuration, but do not have any SSL
    configuration, then
    the invocation may fail, and the user may see a warning in the
    logs like this:
    
    [3/14/17 13:42:55:957 CDT] 00000035
    m.ibm.ws.jaxrs.2.0.common:1.0.16.cl17012017
    0227-0220(id=83)] W Interceptor for
    {https://testserver.internal.ibm.com}WebCli
    ent has thrown exception, unwinding now
    org.apache.cxf.interceptor.Fault: Could not send Message.
    	at
    org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSende
    rEnd
    ingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
    ...
    	at java.lang.Thread.run(Thread.java:745)
    Caused by: java.io.IOException: IOException invoking
    https://asset-websphere.ib
    m.com: SSLSocketFactory creation fails as the SSL configuration
    reference "null
    " is invalid.
    	at
    sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
    Method
    ...
    	at
    org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSende
    rEnd
    ingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
    	... 58 more
    Caused by: java.io.IOException: SSLSocketFactory creation fails
    as the SSL conf
    iguration reference "null" is invalid.
    	at
    com.ibm.ws.jaxrs20.appsecurity.security.JaxRsProxySSLSocketFacto
    ry.c
    reateSocket(JaxRsProxySSLSocketFactory.java:80)
    ...
    	at
    org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.cl
    ose(
    HTTPConduit.java:1348)
    	... 61 more
    
    This occurs because the JAX-RS framework in the Liberty server
    is unable to
    find the SSL configuration, since none is specified.  In
    previous releases of
    WebSphere Liberty, the JAX-RS framework would use the default
    configuration as
    provided by the JVM.
    

Problem conclusion

  • The fix for this APAR will detect the case where the ssl-1.0
    feature is enabled, but no SSL configuration is provided in the
    server configuration.  When that case is detected, the JAX-RS
    framework will use the JVM's default SSL configuration.
    
    The fix for this APAR is currently targeted for inclusion in fix
    pack 17.0.0.2.  Please refer to the Recommended Updates page for
    delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

  • There are three known workarounds for this problem:
    1) Remove the ssl-1.0 feature from the featureManager element in
    the server's
    configuration (server.xml, etc.).  JAX-RS Client calls will use
    the JVM's SSL
    configuration.
    2) Add a default SSL configuration to your server's
    configuration.  For
    example:
         <ssl id="defaultSSLConfig" keyStoreRef="clientKeyStore"
    trustStoreRef="cli
    entTrustStore" />
         <keyStore id="clientKeyStore" location="/path/to/key.jks"
    type="JKS" passw
    ord="myPassword" />
         <keyStore id="clientTrustStore"
    location="/path/to/trust.jks" type="JKS"
    password="myPassword" />
    3) Modify the JAX-RS client code to specify a default SSL
    context.  Ex:
            ClientBuilder cb = ClientBuilder.newBuilder();
            cb.sslContext(SSLContext.getDefault());
            Client c = cb.build();
    

Comments

APAR Information

  • APAR number

    PI79275

  • Reported component name

    WAS LIBERTY COR

  • Reported component ID

    5725L2900

  • Reported release

    CD0

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-04-03

  • Closed date

    2017-04-13

  • Last modified date

    2017-04-13

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WAS LIBERTY COR

  • Fixed component ID

    5725L2900

Applicable component levels

  • RCD0 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSD28V","label":"WebSphere Application Server Liberty Core"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"CD0","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
18 October 2021