IBM Support

PK56673: CRL CHECKING IS NOT GETTING TURNED OFF BECUASE IT IS OVERRIDING ALL PROPERTIES AND SETTING IT TO TRUE.

Fixes are available

Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR10 Cumulative Fix for WebSphere Application Server
6.1.0.31: Java SDK 1.5 SR11 FP1 Cumulative Fix for WebSphere Application Server
6.1.0.33: Java SDK 1.5 SR12 FP1 Cumulative Fix for WebSphere
6.1.0.29: Java SDK 1.5 SR11 Cumulative Fix for WebSphere Application Server
6.1.0.35: Java SDK 1.5 SR12 FP2 Cumulative Fix for WebSphere
6.1.0.37: Java SDK 1.5 SR12 FP3 Cumulative Fix for WebSphere
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • CRL Checking is not getting turned off becuase it is overriding
all properties and setting it to true due to this we unable to
switch to the PKIX trust manager from X509.

Example By default in security.xml We see the following
-------------------------
<trustManagers xmi:id="TrustManager_1192132339753"
name="IbmX509"
provider="IBMJSSE2" algorithm="IbmX509"
managementScope="ManagementScope_1192132339753"/>
  <trustManagers xmi:id="TrustManager_1192132339758"
name="IbmPKIX"
provider="IBMJSSE2" algorithm="IbmPKIX" trustManagerClass=""
managementScope="ManagementScope_1192132339753">
    <additionalTrustManagerAttrs
xmi:id="DescriptiveProperty_1192132339758"
name="com.ibm.security.enableCRLDP" value="true" type="boolean"
displayNameKey="" nlsRangeKey="" hoverHelpKey="" range=""
inclusive="false" firstClass="false"/>
    <additionalTrustManagerAttrs
xmi:id="DescriptiveProperty_1192132339759"
name="com.ibm.jsse2.checkRevocation" value="true" type="boolean"
displayNameKey="" nlsRangeKey="" hoverHelpKey="" range=""
inclusive="false" firstClass="false"/>
  </trustManagers>

--------------------------------

When we set them to name="com.ibm.security.enableCRLDP"
value="false"  & name="com.ibm.jsse2.checkRevocation"
value="false" these value is not picking so we cannot turn off
Certificate Revocation (CRL checking)

Local fix

  • n/a

Problem summary

  • ****************************************************************
* USERS AFFECTED: WebSphere Application Server version 6.1     *
*                 users who are using ibmPKIX trust manager.   *
****************************************************************
* PROBLEM DESCRIPTION: There is no way to disable Certificate  *
*                      Revocation (CRL checking).              *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When ibmPKIX is chosen as a trust manager, WebSphere
Application Server initializes ibmPKIX with predefined
parameters. Therefore, even though following properties
are set, they are not honored.

name: com.ibm.security.enableCRLDP   value:false
name: com.ibm.jsse2.checkRevocation  value:false

Problem conclusion

  • In conjunction with JDK APAR fix IZ08065, this fix takes
following custom properties of trust manager:

Name: com.ibm.security.enableCRLDP
Value:  true/false. true is default.

Name: com.ibm.jsse2.checkRevocation
Value:  true/false. true is default.

The fix for this APAR is currently targeted for inclusion in
fixpack 6.1.0.15. Please refer to the Recommended Updates page
for delivery information:
http://www.ibm.com/support/docview.wss?uid=swg27004980
This also requires the JDK APAR fix IZ08065

Temporary fix

  • a test fix sent to the customer.

Comments

  • 



APAR Information




    

  • APAR number
    PK56673
    • 

  • Reported component name
    WEBS APP SERV N
    • 

  • Reported component ID
    5724H8800
    • 

  • Reported release
    61A
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2007-11-16
    • 

  • Closed date
    2008-01-03
    • 

  • Last modified date
    2008-01-03
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Modules/Macros


    

  • SECURITY

    



Fix information


    

  • Fixed component name
    WEBSPH APP SERV
    • 

  • Fixed component ID
    5724J0800
    • 



Applicable component levels


    

  • R61A  PSY
       UP
    • 

  • R61H  PSY
       UP
    • 

  • R61I  PSY
       UP
    • 

  • R61P  PSY
       UP
    • 

  • R61S  PSY
       UP
    • 

  • R61W  PSY
       UP
    • 

  • R61Z  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            29 December 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback