IBM Support

PI96508: OIDC RP may not connect to token endpoint due to SSL handshake failure

Download


Abstract

PI96508: The OIDC RP may not connect to token endpoint due to SSL handshake failure.

Download Description

THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.


PI96508 resolves the following problem:

ERROR DESCRIPTION:
The OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI) improperly obtains the default SSL socket factory, which can cause an SSL handshake failure when attempting to connect to the token endpoint:

[3/23/18 1:30:57:659 CDT] 000000dd WebAuthentica E SECJ0126E: Trust Association failed during validation. The exception is
com.ibm.websphere.security.WebTrustAssociationFailedException:
CWTAI2007E: The OpenID Connect relying party (RP) encountered a failure during the login. The exception is [Failed to make a request to OP server]. Check the logs for details that lead to this exception.
at com.ibm.ws.security.oidc.client.RelyingParty.handleSigninCallback(RelyingParty.java:468)
at com.ibm.ws.security.oidc.client.RelyingParty.negotiateValidateandEstablishTrust(RelyingParty.java:249)
at com.ibm.ws.security.web.TAIWrapper.negotiateAndValidateEstablishedTrust(TAIWrapper.java:103)
at (snip ...)
... 28 more
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure
at com.ibm.jsse2.p.a(p.java:1)
at com.ibm.jsse2.p.a(p.java:13)

This issue may manifest itself in ways other than an SSL Handshake failure.

PROBLEM CONCLUSION:
The OIDC TAI is updated to obtain the default SSL socket factory in the manner that is required by WebSphere Application Server core security.

The fix for this APAR is currently targeted for inclusion in fix packs 8.5.5.14 and 9.0.0.9. Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Keywords: IBMWL3WSS, OIDC

THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.

On

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF013","label":"Inspur K-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5;9.0.0","Edition":"Base;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
13 March 2019

UID

swg24044725

Page Feedback