APAR status
Closed as program error.
Error description
The WS Security PolicySet WSSecurity Default has the "Security header layout" set to "Strict - declarations must precede use" by default which introduces interopability issues with a MSFT client.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: WebSphere Application Server 6.1 web * * service feature pack users using "Strict" * * layout on WS-Security messages * * interoperating with MSFT clients. * **************************************************************** * PROBLEM DESCRIPTION: A message that specifies the Strict * * Layout on a policy must follow a set * * of rules, including this one, * * according to the specification. * * " Signed elements inside the security * * header MUST occur before the * * signature that signs them. For * * example, a. A timestamp MUST occur * * before the signature * * that signs it." In this case, this is * * exactly the problem: The timestamp is * * getting signed but it is put after * * the signature. Interoperation will be * * affected with MSFT, as MSFT will * * refuse to consume the message as it * * does not follow this rule. * **************************************************************** * RECOMMENDATION: * **************************************************************** The problem is that the default behavior coded for the TimestampGenerator is to put the signature first, and then the timestamp, unless otherwise indicated. When a policy specifies "Strict" layout, the codes goes into the default case, and therefore, puts the Timestamp after the Signature in the message.
Problem conclusion
The solution was to change the default behavior in the TimestampGenerator to include the Timestamp before the signature when using the Strict layout. The TimestampConsumer now also verifies that the Timestamp is indeed put before the signature on an incoming message when following the Strict layout. This fixes the problem of interoperability. Also, a custom property named "com.ibm.ws.wssecurity.EnforceStrictLayout=true" is provided that can be set in the signature protection bindings and on the message context to disable this new behavior, by setting it to "false".This is done in case this fix creates problems to existing configurations, so customers can disable the behavior if needed. The fix is targetted for fix pack 6.1.0.13. Please refer to the recommended updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PK55563
Reported component name
WEBSERVIC FEATU
Reported component ID
5724J0850
Reported release
610
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2007-10-26
Closed date
2007-11-15
Last modified date
2007-11-15
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
SECURITY SERVICE WEB
Fix information
Fixed component name
WEBSERVIC FEATU
Fixed component ID
5724J0850
Applicable component levels
R610 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
10 February 2022