IBM Support

PI95405: LIBERTY MAY NOT FIND KEY IN JWK BY X5T

Fixes are available

18.0.0.2: WebSphere Application Server Liberty 18.0.0.2
18.0.0.3: WebSphere Application Server Liberty 18.0.0.3
18.0.0.4: WebSphere Application Server Liberty 18.0.0.4
19.0.0.1: WebSphere Application Server Liberty 19.0.0.1
19.0.0.2: WebSphere Application Server Liberty 19.0.0.2
19.0.0.3: WebSphere Application Server Liberty 19.0.0.3
19.0.0.4: WebSphere Application Server Liberty 19.0.0.4
19.0.0.5: WebSphere Application Server Liberty 19.0.0.5
19.0.0.6: WebSphere Application Server Liberty 19.0.0.6
19.0.0.7: WebSphere Application Server Liberty 19.0.0.7
19.0.0.8: WebSphere Application Server Liberty 19.0.0.8
19.0.0.9: WebSphere Application Server Liberty 19.0.0.9
19.0.0.10: WebSphere Application Server Liberty 19.0.0.10
19.0.0.11: WebSphere Application Server Liberty 19.0.0.11
19.0.0.12: WebSphere Application Server Liberty 19.0.0.12
20.0.0.1: WebSphere Application Server Liberty 20.0.0.1
20.0.0.2: WebSphere Application Server Liberty 20.0.0.2
20.0.0.3: WebSphere Application Server Liberty 20.0.0.3
20.0.0.4: WebSphere Application Server Liberty 20.0.0.4
20.0.0.5: WebSphere Application Server Liberty 20.0.0.5
20.0.0.6: WebSphere Application Server Liberty 20.0.0.6
20.0.0.7: WebSphere Application Server Liberty 20.0.0.7
20.0.0.8: WebSphere Application Server Liberty 20.0.0.8
20.0.0.9: WebSphere Application Server Liberty 20.0.0.9
20.0.0.10: WebSphere Application Server Liberty 20.0.0.10
20.0.0.11: WebSphere Application Server Liberty 20.0.0.11
20.0.0.12: WebSphere Application Server Liberty 20.0.0.12

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • A key cannot be referenced from a jwk using OpenID Connect
    in
    Liberty.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server Liberty and JWT authentication       *
    ****************************************************************
    * PROBLEM DESCRIPTION: Liberty may not be able to find a key   *
    *                      refrenced with x5t in the JWT           *
    *                      authentication scenario                 *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    In the JSON Web Token (JWT) authentication scenario, where the
    inboundPropagation openidConnectClient configuration attribute
    is set to required, if the JWT is signed with RS256 and the key
    is referenced with x5t, Liberty cannot resolve the key for
    signature validation.
    An entry like this may be observed in a Liberty OIDC trace:
    [3/9/18 19:52:16:861 UTC] 00000033 JwKRetriever  <
    getPublicKeyFromJwk Exit
    null
    [3/9/18 19:52:16:861 UTC] 00000033 OidcClientCon >
    getSignatureAlgorithm Entry
    RS256
    No Key
    CWWKS1739E: A signing key
    required by signature algorithm [RS256] was not available.
    This issue does not apply to the Liberty OpenID Connect client.
    The Liberty OpenID Connect client can resolve a key referenced
    with x5t to verify an id_token.
    

Problem conclusion

  • Liberty is updated so that it is able to obtain a key that is
    referenced with x5t from a JWT that is signed with RS256 in the
    JWT authentication scenario.
    
    The fix for this APAR is currently targeted for inclusion in fix
    pack 18.0.0.3.  Please refer to the Recommended Updates page for
    delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI95405

  • Reported component name

    LIBERTY PROFILE

  • Reported component ID

    5724J0814

  • Reported release

    CD0

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-03-19

  • Closed date

    2018-04-04

  • Last modified date

    2018-10-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    LIBERTY PROFILE

  • Fixed component ID

    5724J0814

Applicable component levels

  • RCD0 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"CD0","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
18 October 2021