IBM Support

PI96508: OIDC RP MAY NOT CONNECT TO TOKEN ENDPOINT DUE TO SSL HANDSHAKE_FAILURE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The OpenID Connect TAI may get an SSL handshake_failure when
    attempting to connect to the token endpoint.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  OpenID Connect                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: OpenID Connect may fail to connect to   *
    *                      the token endpoint because of an SSL    *
    *                      Handshake error                         *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    The OpenID Connect (OIDC) Relying Party (RP) Trust Association
    Interceptor (TAI) improperly obtains the default SSL socket
    factory, which can cause an SSL handshake failure when
    attempting to connect to the token endpoint:
    [3/23/18 1:30:57:659 CDT] 000000dd WebAuthentica E SECJ0126E:
    Trust Association failed during validation. The exception is
    com.ibm.websphere.security.WebTrustAssociationFailedException:
    CWTAI2007E: The OpenID Connect relying party (RP) encountered
    a failure during the login. The exception is [Failed to make a
    request to OP server]. Check the logs for details that lead to
    this exception.
    at
    com.ibm.ws.security.oidc.client.RelyingParty.handleSigninCallbac
    k(RelyingParty.java:468)
    at
    com.ibm.ws.security.oidc.client.RelyingParty.negotiateValidatean
    dEstablishTrust(RelyingParty.java:249)
    at
    com.ibm.ws.security.web.TAIWrapper.negotiateAndValidateEstablish
    edTrust(TAIWrapper.java:103)
    at
    (snip)
    ... 28 more
    Caused by: javax.net.ssl.SSLHandshakeException: Received fatal
    alert:
    handshake_failure
    at com.ibm.jsse2.p.a(p.java:1)
    at com.ibm.jsse2.p.a(p.java:13)
    This issue may manifest itself in ways other than an SSL
    Handshake failure.
    

Problem conclusion

  • The OIDC TAI is updated to obtain the default SSL socket
    factory in the manner that is required by WebSphere Application
    Server core security.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.5.14 and 9.0.0.9.  Please refer to the Recommended
    Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI96508

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-04-10

  • Closed date

    2018-05-03

  • Last modified date

    2018-05-03

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
01 December 2021