IBM Support

PH24501: SAML WEB SSO TAI MAY FAIL SIGNATURE VERIFICATION WHEN A KEYINFO CONTAINS BOTH KEYNAME AND X509DATA

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When the KeyInfo in a SAMLResponse sent to the SAML Web SSO
    TAI contains a valid X509Data or KeyValue element in addition
    to a KeyName element, but the KeyName element is first, the
    signature validation will fail.  An error similar to the
    following is emitted:
    
    [3/18/20 10:27:00:094 CDT] 000000c7 ACSTrustAssoc 3
    SAMLResponse could not be verified.
    [com.ibm.wsspi.wssecurity.core.SoapSecurityException]
    
    The following may be observed in a SAML trace:
    
    [3/18/20 10:27:00:078 CDT] 000000c7 ConfigUtil    <
    getMessage2(String)returns String [CWWSS7074E: The key is not
    retrieved. The exception is:] Exit
    [3/18/20 10:27:00:078 CDT] 000000c7 SAMLSignature 3
    NULL_MESSAGE_KEY_PASSED
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server and SAML Web SSO                     *
    ****************************************************************
    * PROBLEM DESCRIPTION: The SAML Web SSO TAI fails signature    *
    *                      validation if KeyName is first in       *
    *                      KeyInfo                                 *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that includes this       *
    *                  APAR.                                       *
    ****************************************************************
    When the KeyInfo in a SAMLResponse sent to the SAML Web SSO
    TAI contains a valid X509Data or KeyValue element, and the
    signature is valid, the signature verification is expected to
    be pass.
    When the KeyInfo in a SAMLResponse contains only a KeyName
    element, the signature verification is expected to fail.
    When the KeyInfo contains multiple elements, the runtime is
    expected to pick up the first supported element and use it to
    process the signature.
    When the KeyInfo contains multiple elements, but the first one
    is not supported, in this case KeyName, the TAI is not
    retrieving a key and it is emittig an error:
    [3/18/20 10:27:00:094 CDT] 000000c7 ACSTrustAssoc 3
    SAMLResponse could not be verified.
    [com.ibm.wsspi.wssecurity.core.SoapSecurityException]
    Below is an example of a KeyInfo that contains more than one
    element with the KeyName first:
    <ds:KeyInfo>
    <ds:KeyName>CN=company.com, O=Company, L=City, ST=State,
    C=US</ds:KeyName>
    <ds:X509Data><ds:X509Certificate>.....</ds:X509Certificate></ds:
    X509Data>
    </ds:KeyInfo>
    

Problem conclusion

  • The SAML Web SSO TAI is updated to skip the unsupported
    elements in the KeyInfo.  If there is at least one supported
    element in the KeyInfo, a key will be retrieved.
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.18 and 9.0.5.5. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH24501

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-04-16

  • Closed date

    2020-05-29

  • Last modified date

    2020-05-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

[{"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}]}]

Document Information

Modified date:
30 May 2020