IBM Support

PI96508: OIDC RP MAY NOT CONNECT TO TOKEN ENDPOINT DUE TO SSL HANDSHAKE_FAILURE

Fixes are available

PI96508: OIDC RP may not connect to token endpoint due to SSL handshake failure
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
PH08804: OIDC v1.1.0; OIDC RP default identifiers are not available when customs are configured
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
PH13175: OIDC v1.2.0; OIDC RP tokens are not revoked when sessions are evicted from the cache
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
PH29099: OIDC v1.3.1; OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The OpenID Connect TAI may get an SSL handshake_failure when
attempting to connect to the token endpoint.

Local fix

  • N/A

Problem summary

  • ****************************************************************
* USERS AFFECTED:  IBM WebSphere Application Server users of   *
*                  OpenID Connect                              *
****************************************************************
* PROBLEM DESCRIPTION: OpenID Connect may fail to connect to   *
*                      the token endpoint because of an SSL    *
*                      Handshake error                         *
****************************************************************
* RECOMMENDATION:  Install a fix pack or interim fix that      *
*                  contains this APAR.                         *
****************************************************************
The OpenID Connect (OIDC) Relying Party (RP) Trust Association
Interceptor (TAI) improperly obtains the default SSL socket
factory, which can cause an SSL handshake failure when
attempting to connect to the token endpoint:
[3/23/18 1:30:57:659 CDT] 000000dd WebAuthentica E SECJ0126E:
Trust Association failed during validation. The exception is
com.ibm.websphere.security.WebTrustAssociationFailedException:
CWTAI2007E: The OpenID Connect relying party (RP) encountered
a failure during the login. The exception is [Failed to make a
request to OP server]. Check the logs for details that lead to
this exception.
at
com.ibm.ws.security.oidc.client.RelyingParty.handleSigninCallbac
k(RelyingParty.java:468)
at
com.ibm.ws.security.oidc.client.RelyingParty.negotiateValidatean
dEstablishTrust(RelyingParty.java:249)
at
com.ibm.ws.security.web.TAIWrapper.negotiateAndValidateEstablish
edTrust(TAIWrapper.java:103)
at
(snip)
... 28 more
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal
alert:
handshake_failure
at com.ibm.jsse2.p.a(p.java:1)
at com.ibm.jsse2.p.a(p.java:13)
This issue may manifest itself in ways other than an SSL
Handshake failure.

Problem conclusion

  • The OIDC TAI is updated to obtain the default SSL socket
factory in the manner that is required by WebSphere Application
Server core security.

The fix for this APAR is currently targeted for inclusion in
fix pack 8.5.5.14 and 9.0.0.9.  Please refer to the Recommended
Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PI96508
    • 

  • Reported component name
    WEBSPHERE APP S
    • 

  • Reported component ID
    5724J0800
    • 

  • Reported release
    850
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2018-04-10
    • 

  • Closed date
    2018-05-03
    • 

  • Last modified date
    2018-05-03
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBSPHERE APP S
    • 

  • Fixed component ID
    5724J0800
    • 



Applicable component levels


    

  • R850  PSY
       UP
    • 

  • R900  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            28 April 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback