Fixes are available
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
PI96508: OIDC v1.05; OIDC RP may not connect to token endpoint due to SSL handshake failure
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
PH08804: OIDC v1.1.0; OIDC RP default identifiers are not available when customs are configured
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
PH13175: OIDC v1.2.0; OIDC RP tokens are not revoked when sessions are evicted from the cache
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
PH29099: OIDC v1.3.1; OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
WebSphere Application Server traditional 9.0.5.6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
9.0.5.9: WebSphere Application Server traditional Version 9.0.5.9
PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters
9.0.5.10: WebSphere Application Server traditional Version 9.0.5.10
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
9.0.5.11: WebSphere Application Server traditional Version 9.0.5.11
APAR status
Closed as program error.
Error description
During the setup of the OpenID Connect TAI, one of the requirements is to import the OpenID Connect provider's signer certificate to the WebSphere Application Server's default trust store. Generally, this depends on client environment, e.g. if its Network Deployment with managed node use CellDefaultTrustStore, whereas in single profile instance, NodeDefaultTrustStore. Some customers cannot import the certificate to the application server's default trust store.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * OpenID Connect Relying Party * **************************************************************** * PROBLEM DESCRIPTION: The OIDC RP TAI can only use a JWK or * * default trust store to get * * certificate to verify signature * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * includes this APAR. * **************************************************************** If not using a JSON Web Key (JWK), the OpenID Connect Relying Party (RP) TAI can only obtain the certificate to verify a signature from the application server's default trust store. Customers may have use cases where they can use neither a JWK nor the default trust store. In this case, an alternative method for specifying different trust store should be provided.
Problem conclusion
The following optional OIDC RP TAI property is added: ================================= provider_<id>.trustStore This property specifies the trust store from which to obtain the certificate specified on the provider_<id>.signVerifyAlias property. If provider_<id>.trustStore is not specified, the default trust store is used. On a single server, the default trust store is NodeDefaultTrustStore, otherwise, it is CellDefaultTrustStore. Example values for this property are: * myKeyStoreRef * name=myKeyStoreRef managementScope=(cell):myCell:(node):myNode ================================= The description for the provider_<id>.signVerifyAlias property is updated to: ================================= Specifies the alias of the certificate in the trust store that might be used to verify the signature from the OP. This property must be set if the signatureAlgorithm custom property is set to RS256 and you do not set the jwkEndpointUrl custom property to obtain the OP's JSON Web Key (JWK). ================================= The fix for this APAR is currently targeted for inclusion in fix pack 8.0.0.15, 8.5.5.14, and 9.0.0.8. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PI92210
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-01-09
Closed date
2018-01-29
Last modified date
2018-02-12
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R800 PSY
UP
R850 PSY
UP
R900 PSY
UP
Document Information
Modified date:
03 May 2022