IBM Support

PI92210: OIDC RP CONFIGURATION OF LOCATION OF SIGN VERIFY CERTIFICATE IS NOT CUSTOMIZABLE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • During the setup of the OpenID Connect TAI, one of the
    requirements is to import the OpenID Connect provider's signer
    certificate to the WebSphere Application Server's default
    trust store.  Generally, this depends on client environment,
    e.g.  if its Network Deployment with managed node use
    CellDefaultTrustStore, whereas in single profile instance,
    NodeDefaultTrustStore.
    
    Some customers cannot import the certificate to the
    application server's default trust store.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  OpenID Connect Relying Party                *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OIDC RP TAI can only use a JWK or   *
    *                      default trust store to get              *
    *                      certificate to verify signature         *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  includes this APAR.                         *
    ****************************************************************
    If not using a JSON Web Key (JWK), the OpenID Connect Relying
    Party (RP) TAI can only obtain the certificate to verify a
    signature from the application server's default trust store.
    Customers may have use cases where they can use neither a JWK
    nor the default trust store.  In this case, an alternative
    method for specifying different trust store should be
    provided.
    

Problem conclusion

  • The following optional OIDC RP TAI property is added:
    
    =================================
    provider_<id>.trustStore
    
    This property specifies the trust store from which to obtain
    the certificate specified on the provider_<id>.signVerifyAlias
    property.
    
    If provider_<id>.trustStore is not specified, the default
    trust store is used.  On a single server, the default trust
    store is NodeDefaultTrustStore, otherwise, it is
    CellDefaultTrustStore.
    
    Example values for this property are:
    * myKeyStoreRef
    * name=myKeyStoreRef managementScope=(cell):myCell:(node):myNode
    =================================
    
    The description for the provider_<id>.signVerifyAlias property
    is updated to:
    
    =================================
    Specifies the alias of the certificate in the trust store that
    might be used to verify the signature from the OP.
    
    This property must be set if the signatureAlgorithm custom
    property is set to RS256 and you do not set the jwkEndpointUrl
    custom property to obtain the OP's JSON Web Key (JWK).
    =================================
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.0.0.15, 8.5.5.14, and 9.0.0.8.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI92210

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-01-09

  • Closed date

    2018-01-29

  • Last modified date

    2018-02-12

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R800 PSY

       UP

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
18 October 2021