IBM Support

PI92210: OIDC RP CONFIGURATION OF LOCATION OF SIGN VERIFY CERTIFICATE IS NOT CUSTOMIZABLE

Fixes are available

8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
PI96508: OIDC v1.05; OIDC RP may not connect to token endpoint due to SSL handshake failure
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
PH08804: OIDC v1.1.0; OIDC RP default identifiers are not available when customs are configured
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
PH13175: OIDC v1.2.0; OIDC RP tokens are not revoked when sessions are evicted from the cache
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
PH29099: OIDC v1.3.1; OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
WebSphere Application Server traditional 9.0.5.6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
9.0.5.9: WebSphere Application Server traditional Version 9.0.5.9
PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters
9.0.5.10: WebSphere Application Server traditional Version 9.0.5.10

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • During the setup of the OpenID Connect TAI, one of the
    requirements is to import the OpenID Connect provider's signer
    certificate to the WebSphere Application Server's default
    trust store.  Generally, this depends on client environment,
    e.g.  if its Network Deployment with managed node use
    CellDefaultTrustStore, whereas in single profile instance,
    NodeDefaultTrustStore.
    
    Some customers cannot import the certificate to the
    application server's default trust store.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  OpenID Connect Relying Party                *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OIDC RP TAI can only use a JWK or   *
    *                      default trust store to get              *
    *                      certificate to verify signature         *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  includes this APAR.                         *
    ****************************************************************
    If not using a JSON Web Key (JWK), the OpenID Connect Relying
    Party (RP) TAI can only obtain the certificate to verify a
    signature from the application server's default trust store.
    Customers may have use cases where they can use neither a JWK
    nor the default trust store.  In this case, an alternative
    method for specifying different trust store should be
    provided.
    

Problem conclusion

  • The following optional OIDC RP TAI property is added:
    
    =================================
    provider_<id>.trustStore
    
    This property specifies the trust store from which to obtain
    the certificate specified on the provider_<id>.signVerifyAlias
    property.
    
    If provider_<id>.trustStore is not specified, the default
    trust store is used.  On a single server, the default trust
    store is NodeDefaultTrustStore, otherwise, it is
    CellDefaultTrustStore.
    
    Example values for this property are:
    * myKeyStoreRef
    * name=myKeyStoreRef managementScope=(cell):myCell:(node):myNode
    =================================
    
    The description for the provider_<id>.signVerifyAlias property
    is updated to:
    
    =================================
    Specifies the alias of the certificate in the trust store that
    might be used to verify the signature from the OP.
    
    This property must be set if the signatureAlgorithm custom
    property is set to RS256 and you do not set the jwkEndpointUrl
    custom property to obtain the OP's JSON Web Key (JWK).
    =================================
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.0.0.15, 8.5.5.14, and 9.0.0.8.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI92210

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-01-09

  • Closed date

    2018-01-29

  • Last modified date

    2018-02-12

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R800 PSY

       UP

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
06 December 2021