IBM Support

PM12973; 7.0.0.9: JAX-WS WS-Security does not allow a trust store to be reloaded

Download


Abstract

JAX-WS WS-Security does not allow a trust store to be reloaded during runtime

Download Description

PM12973 resolves the following problem:

ERROR DESCRIPTION:
JAX-WS WS-Security does not allow a trust store to be reloaded during runtime. If a trusted certificate is added to a trust store used by an X.509 token consumer after the application server is started, the trust validation will fail.

LOCAL FIX:
na

PROBLEM SUMMARY

USERS AFFECTED:
IBM WebSphere Application Server V7.0 users of WS-Security enabled JAX-WS applications

PROBLEM DESCRIPTION:
JAX-WS WS-Security does not allow a trust store to be reloaded during runtime

RECOMMENDATION:
Apply an ifix or fixpack that includes this APAR.

JAX-WS WS-Security does not allow a trust store to be reloaded during runtime. If a trusted certificate is added to a trust store used by an X.509 token consumer after the application server is started, the trust validation will fail.

Applications may require the ability to reload a trust store during runtime.

PROBLEM CONCLUSION:
The trust store is a keystore. JAX-WS WS-Security does not acknowledge the refresh of any keystores while the application server is running. For performance reasons, keystores are cached in memory when each application is started. The cache is shared among applications, so if a single application is stopped, its keystore(s) remain in the cache.

The WS-Security custom property is added:

com.ibm.wsspi.wssecurity.config.token.inbound.retryOnceAfterTrustFailure

If the com.ibm.wsspi.wssecurity.config.token.inbound.retryOnceAfterTrustFailure is set to true, when a trust validation occurs, the WS-Security runtime will reload its configured trust store and retry the trust validation one more time. If a failure occurs after the second attempt, the trust validation failure will be returned.

The trust store will be loaded and used for that single re-validation attempt only. The keystore object in the cache cannot be replaced for concurrency issues.

Valid values for this property are true and false. It defaults to false.

This property is set as a custom property on the Callback handler for an X.509, PKIPath, or PKCS#7 token consumer. The following path can be used to set the property in the administrative console:

(bindingName)->WS-Security->Authentication and
protection->(tokenName)->Callback handler

For an application using the WS-Security WSS API, the property can also be set on the Callback handler for the token consumers listed above.

The fix for this APAR is currently targeted for inclusion in
fix pack 7.0.0.13. Please refer to the Recommended Updates
page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"Readme","INLang":"US English","INSize":"8622","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM12973/readme.txt"}]
On
[{"DNLabel":"7.0.0.7-WS-WAS-IFPM12973","DNDate":"5/12/2010","DNLang":"US English","DNSize":"877599","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.7-WS-WAS-IFPM12973&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM12973/7.0.0.7-WS-WAS-IFPM12973.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM12973/7.0.0.7-WS-WAS-IFPM12973.pak"},{"DNLabel":"7.0.0.9-WS-WAS-IFPM12973","DNDate":"5/12/2010","DNLang":"US English","DNSize":"700839","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.9-WS-WAS-IFPM12973&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM12973/7.0.0.9-WS-WAS-IFPM12973.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM12973/7.0.0.9-WS-WAS-IFPM12973.pak"},{"DNLabel":"7.0.0.11-WS-WAS-IFPM12973","DNDate":"7/19/2010","DNLang":"US English","DNSize":"176273","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.11-WS-WAS-IFPM12973&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM12973/7.0.0.11-WS-WAS-IFPM12973.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM12973/7.0.0.11-WS-WAS-IFPM12973.pak"}]

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Services Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0.0.9;7.0.0.7;7.0.0.11","Edition":"Base;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]

Problems (APARS) fixed
PK96427;PK97223;PK98750;PM01282;PM12973

Document Information

Modified date:
15 June 2018

UID

swg24026802