IBM Support

PM76997: VMM CERTIFICATE AUTHENTICATION FAILS WHEN DN CONTAINS NON-DEFAULT X509CERTIFICATE ATTRIBUTES.

Fixes are available

8.5.0.2: WebSphere Application Server V8.5 Fix Pack 2
8.0.0.6: WebSphere Application Server V8.0 Fix Pack 6
8.0.0.7: WebSphere Application Server V8.0 Fix Pack 7
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
17.0.0.2: WebSphere Application Server Liberty 17.0.0.2
17.0.0.3: WebSphere Application Server Liberty 17.0.0.3
17.0.0.4: WebSphere Application Server Liberty 17.0.0.4
18.0.0.1: WebSphere Application Server Liberty 18.0.0.1
18.0.0.2: WebSphere Application Server Liberty 18.0.0.2
18.0.0.3: WebSphere Application Server Liberty 18.0.0.3
18.0.0.4: WebSphere Application Server Liberty 18.0.0.4
19.0.0.1: WebSphere Application Server Liberty 19.0.0.1
19.0.0.2: WebSphere Application Server Liberty 19.0.0.2
19.0.0.3: WebSphere Application Server Liberty 19.0.0.3
19.0.0.4: WebSphere Application Server Liberty 19.0.0.4
19.0.0.5: WebSphere Application Server Liberty 19.0.0.5
19.0.0.6: WebSphere Application Server Liberty 19.0.0.6
19.0.0.7: WebSphere Application Server Liberty 19.0.0.7
19.0.0.8: WebSphere Application Server Liberty 19.0.0.8
19.0.0.9: WebSphere Application Server Liberty 19.0.0.9
19.0.0.10: WebSphere Application Server Liberty 19.0.0.10
19.0.0.11: WebSphere Application Server Liberty 19.0.0.11
19.0.0.12: WebSphere Application Server Liberty 19.0.0.12
20.0.0.1: WebSphere Application Server Liberty 20.0.0.1
20.0.0.2: WebSphere Application Server Liberty 20.0.0.2
20.0.0.3: WebSphere Application Server Liberty 20.0.0.3
20.0.0.4: WebSphere Application Server Liberty 20.0.0.4
20.0.0.5: WebSphere Application Server Liberty 20.0.0.5

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Certificate authentication fails with VMM when the subject
    or issuer DN of the certificate contains attributes other than
    the default X509Certificate attributes (CN, L, ST, O, OU, C,
    STREET, DC, UID).
    
    For example when certificate DN contains an attribute say
    EMAILADDRESS like DN="CN=Bob Smith,OU=companyunit,O=company,
    EMAILADDRESS=bob@company.com"
    authentication fails with the following exception:
    
    com.ibm.websphere.wim.exception.CertificateMapperException:
    CWWIM0003E
    The 'EMAILADDRESS' Distinguished Name field is unknown.
    com.ibm.ws.wim.adapter.ldap.LdapHelper.getDNSubField(LdapHelper.
    java:960)
    com.ibm.ws.wim.adapter.ldap.LdapConfigManager.getCertificateLDAP
    Filter(LdapConfigManager.java:1210)
    com.ibm.ws.wim.adapter.ldap.LdapAdapter.mapCertificate(LdapAdapt
    er.java:2794)
    com.ibm.ws.wim.adapter.ldap.LdapAdapter.login(LdapAdapter.java:2
    681)
    com.ibm.ws.wim.ProfileManager.loginImpl(ProfileManager.java:3573
    )
    com.ibm.ws.wim.ProfileManager.genericProfileManagerMethod(Profil
    eManager.java:304)
    com.ibm.ws.wim.ProfileManager.login(ProfileManager.java:412)
    com.ibm.websphere.wim.ServiceProvider.login(ServiceProvider.java
    :485)
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server V8.0 and V8.5                        *
    ****************************************************************
    * PROBLEM DESCRIPTION: Certificate authentication fails for    *
    *                      Virtual Member Manager when             *
    *                      Distinguished Name (DN) contains        *
    *                      non-default attributes.                 *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    During certificate authentication, if the
    subjectDN of issuerDN field retrieved from
    the certificate contains non-default X509Certificate
    attributes (such as CN, L, ST, O, OU, C, STREET, DC, UID), then
    the non-default attributes are returned in their
    Object Identifier (OID) form, due to which login fails with
    invalid DN field error. This is applicable for both LDAP and
    File repositories.
    For example, if the certificate filter is:
    certsubjectName=${SubjectDN}, and DN=CN=Bob
    Smith,OU=companyunit,O=company,EMAILADDRESS=bob@company.com,
    login fails with "CWWIM0003E The 'EMAILADDRESS' Distinguished
    Name field is unknown" error message.
    

Problem conclusion

  • Instead of using cert.getIssuerX500Principal().getName() which
    returns the non-default attributes in its OID form, the code
    will now use cert.getIssuerX500Principal().toString() and
    handle the spaces between the attributes appropriately.
    
    APAR PM76997 is currently targeted for inclusion in
    Fix Packs 8.0.0.6 and 8.5.0.2 of WebSphere Application
    Server.
    
    Please refer to the Recommended Updates page for delivery
    information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    
    In addition, please refer to URL:
    http://www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
    for Fix Pack PTF information.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM76997

  • Reported component name

    WEBSPHERE FOR Z

  • Reported component ID

    5655I3500

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-11-13

  • Closed date

    2013-01-14

  • Last modified date

    2013-01-14

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE FOR Z

  • Fixed component ID

    5655I3500

Applicable component levels

  • R800 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"800","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
17 June 2020