IBM Support

PH49566: OIDC v1.4.0; OIDC: CWTAI2047E when more than one key without alg claim in JWK

Download


Downloadable File

File link File size File description

Abstract

OIDC TAI Version v1.4.0; PH49566: OIDC: CWTAI2047E when more than one key without alg claim in JWK

Download Description

OIDC TAI Version: 1.4.0
 
THE FOLLOWING FIXES ARE PROVIDED:
Interim fix file
Readme file
Fix pack range
Editions
Readme file v8.5
8.5.5.3 through
8.5.5.22
WASProd
9.0.0.0-WS-WASProd-IFPH49566.zip Readme file v9.0 9.0.0.0 through
9.0.5.13
WASProd


 You can install these fixes from the IBM live service repository instead of downloading them. For information and step-by-step instructions, see the LIVE SERVICE REPOSITORY INSTALLATION section of this document.

image 12799 AVOID TROUBLE:

When you are administering a cluster, the fix for this APAR must be applied to each cluster member. Failure to update all cluster members produces unpredictable results on both the updated and nonupdated cluster members.


PH49566 resolves the following problem:

ERROR DESCRIPTION:
When the OpenID Connect (OIDC) Trust Association Interceptor (TAI) attempts to process a JWK that contains more than one key that does not contain an alg claim, an error similar to the following error is found in the logs: 
CWTAI2047E: No key was found to verify the signature.  The signature algorithm is [RS256].  The JWT [kid] claim value is [YOURKID] and the [x5t] claim value is [YOURX5T].  The [jwkEndpointUrl] is [https://acme.com/jwk.jwks].  The [signVerifyAlias] property value is [ALIAS].
This issue happens after installing fix pack 9.0.5.13.
 
PROBLEM CONCLUSION:
The OIDC TAI is updated to allow for keys with no "sig" claim in a JWK.

The fix for this APAR is targeted for inclusion in fix pack 8.5.5.23 and 9.0.5.14. Refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980


  •  WHAT'S NEW IN VERSION 1.4.0
    • Add regex and logical OR to the provider_<id>.filter property

      Two new operators are added to the provider_<id>.filter property: regular expression (~=) and logical OR (||). These new operators are delivered in APAR PH49279.

    • A new keyword is added to the values for the provider_<id>.useRealm property

      To use the default WebShpere realm name, set the provider_<id>.useRealm custom property to WAS_DEFAULT. This new value is delivered in APAR PH47482.

    • The default value for the provider_<id>.signatureAlgorithm property is changed to HEADER

      A new keyword called HEADER is added to the list of supported values for the When the provider_<id>.signatureAlgorithm property. When the signatureAlgorithm property is set to HEADER, the value is obtained from the header of each inbound token. Two new properties are added to support this new behavior delivered in APAR PH47272:

      • provider_<id>.signatureAllowList
        Specifies a comma-separated list of signature algorithms that are allowed to secure messages from the OpenID Connect provider. If the signatureAlgorithm property is set to a value other than HEADER, this property is ignored. This list can include any value that is supported by the jose4j open source project except HS256.
      • provider_<id>.signatureDenyList
        Specifies a comma separated list of signature algorithms that are not allowed to secure messages from the OpenID Connect provider. If the signatureAlgorithm property is set to a value other than HEADER, this property is ignored. This list can include any value that is supported by the jose4j open source project and the values are not validated by the OIDC TAI. If the configured list does not include HS256, HS256 might be added to the list.
    • Add ability to filter requests based on the issuer in the JWT

      Starting in OIDC 1.4.0, the OIDC TAI can filter inbound JWT authentication requests based on the issuer of the JWT. The following OIDC TAI custom properties are added to support this feature delivered in APAR PH44467:

      • provider_<id>.allowJwtIssuerSelection
        Set this property to true if want to allow the runtime to filter requests based on the iss claim in the JWT in the Authorization header of the HTTP request. The filter will match if the iss claim in the JWT matches this provider's issuer.
    • Add support for encrypted JWT (JWE) and idTokens

      Starting in OIDC version 1.4.0, the OpenID Connect Trust Association Interceptor can process an encrypted JWT. An encrypted JWT can be used with both the traditional OpenID Connect Relying Party and JWT Authentication. Using the OIDC RP allows an encrypted JWT to be the ID token, access token, or both. The following OIDC TAI custom properties are added to support the encrypted JWT feature delivered in APAR PH36335:

      • provider_<id>.keyStore
        Specifies the keystore from which to obtain the decrypting key.
      • provider_<id>.decryptAlias
        Specifies the alias of the keyEntry in the keystore that is used to decrypt an encrypted JWT or ID token.
      • provider_<id>.decryptKeyPassword
        Specifies the password for the decrypting key.
    • Add support for OIDC RP-Initiated logout

      The OIDC RP is updated so that it can perform an RP-Initiated logout. If configured to do so, an RP-Initiated logout is performed when HttpServeletRequest.logout() or ibm_security_logout (form logout) is invoked. Note: A fix for APAR PH48145 is required for the OIDC TAI to log out when ibm_security_logout is invoked. The following OIDC TAI custom properties are added to support this feature delivered in APAR PH48083:

      • provider_<id>.endSessionEndpointEnabled
        Set this property to true if you want to enable RP-Initiated logout with the URL specified on the provider_<id>.endSessionEndpoint property.
      • provider_<id>.endSessionRedirectUrl
        Set this property to the value for the post_logout_redirect_uri parameter on the request to the end session endpoint on the OP. The OP redirects to this URL after logout is complete.
      • provider_<id>.endSessionUseLogoutExitPage
        Set this property to true if you want to use the value for the logoutExitPage parameter on an ibm_security_logout request as the value for the post_logout_redirect_uri parameter on the end session request to the OP. This requires 8.5.5.23 or 9.0.5.14.
      • The following OidcClientHelper APIs are added:

        logout(HttpServletRequest req, HttpServletResponse rsp)
        logout(HttpServletRequest req, HttpServletResponse rsp, String endSessionRedirectUrl)
        opLogout(HttpServletRequest req, HttpServletResponse rsp, String endSessionRedirectUrl)

    • Add OidcClientHelper APIs to validate JWTs

      Starting in OIDC 1.4.0, the OIDC TAI can filter inbound JWT authentication requests based on the issuer of the JWT.The following OIDC TAI custom properties are added to support this feature delivered in APAR PH44692:

      • provider_<id>.useIssuer
        When this property is set to true, the runtime can use the provider entry to service JSON Web Token (JWT) verification requests by API.
      • The following OidcClientHelper APIs are added:

        verifyJwt(String jwtString)
        verifyJwt(String jwtString, String defaultIssuer)
        verifyJwtUsingDiscovery(String jwtString)
        verifyJwtUsingDiscovery(String jwtString, String discoveryUrl)
        verifyJwtUsingTAIConfig(String jwtString)
        verifyJwtUsingTAIConfig(String jwtString, String defaultIssuer)


CUSTOM PROPERTIES AND JAVADOC:
To see a complete list of the custom properties supported in this version of the OIDC TAI, see the technote WebSphere OpenID Connect, Full Profile Custom Properties.

APARS INCLUDED IN THIS VERSION:
This fix is for the OpenID Connect (OIDC) Relying Party and JWT authentication features in WebSphere Application Server traditional, both of which are delivered in the OIDC trust association interceptor (TAI) JAR file. This fix is cumulative and contains all fixes that were in the code repository at the time the fix was created.

PI23430: Security Integrity fix for OpenID and OpenID connect
PI25298: OIDC on full profile can't authenticate with Liberty profile OP with an access token
PI25681: Remove export packages of the org.apache.commons.codec from com.ibm.ws.security.client.jar
PI33449: Full profile OpenID connect RP does not work with google OP
PI37687: IBM embedded WebSphere Application Server is missing the JAR files for OpenID and OpenID connect
PI47460: Add multi-provider support to OpenID connect relying party in the full profile
PI52604: OpenID connect SSO with active directory fails with 403 forbidden
PI55697: OpenID connect relying party: no entry in cache for stateid
PI56331: User might not be able to access web page that is protected with OIDC after initial login
PI59831: Support for using local x.509 public certificate for signature verification in OIDC
PI63906: OIDC: Allow config of contentType
PI64573: OIDC: A 403 error might occur when the OP URL encodes the state parameter
PI64924: OpenID connect RP cannot locate key in JWK set
PI65751: Do not require the interceptedPathFilter OIDC custom property
PI73318: OIDC: Unique cookie names can accumulate on the browser
PI74857: Privilege escalation in full profile OIDC RP (CVE-2017-1151)
PI75095: OIDC: ClassCastException java.util.ArrayList
PI78336: OIDC jndiCacheName property does not work
PI80317: OIDC RP might store incorrect data in DynaCache
PI80543: OIDC RP cannot dynamically build callback URL
PI80549: OIDC RP does not support POST introspection endpoints
PI82308: OIDC RP loses URL fragments during the login process
PI84244: OIDC RP does not restore single quotation mark characters in POST data
PI86752: OIDC RP is requiring optional iat claim in introspected access token
PI87354: OIDC RP cannot log out when OIDC session cookie is not present
PI88253: OIDC RP secure flag not set on the oidcrequrl cookie
PI88896: OIDC RP refreshed access_token is not put into subject
PI90373: OIDC RP authorizationEndpointURL does not handle query parameters correctly
PI92210: OIDC RP configuration of location of sign verify certificate is not customizable
PI92332: OIDC RP does not support op userinfo endpoint
PI94538: OIDC RP does not call the revocation endpoint on the OP on logout
PI96508: OIDC RP might not connect to token endpoint due to SSL handshake failure
PI96403: OIDC RP: support implicit login flow for initial requests
PH00569: OIDC RP handling of id_token expiry is not configurable
PH02192: OIDC RP extra <br/> tag added in saved post body
PH03525: OIDC RP might not intercept requests to http:// endpoints
PH07297: Denial of Service vulnerability in Guava (CVE-2018-10237)
PH08804: OIDC RP default identifiers are not available when customs are configured
PH10503: OIDC RP: sessionCacheTimeoutMinutes value is in seconds instead of minutes
PH10892: OIDC RP: There is no API for obtaining tokens or manually triggering access token refresh
PH11107: OIDC RP: port number is always included on redirect_uri parameter
PH11684: OIDC RP: failed to validate ID token, error that is emitted during verify [UnsupportedOperationException]
PH12520: OIDC TAI: Enable JWT authentication
PH13175: OIDC RP: Tokens are not revoked when sessions are evicted from the cache
PH14676: OIDC RP: omit client_secret OAuth 2.0 parameter when the client_secret is an empty string
PH15248: OidcClientHelper methods might return null unexpectedly
PH15626: OIDC RP: enable configuration of a login error url
PH17304: OIDC RP: cannot send a Content-Security-Policy header to the OpenID Connect provider
PH18150: OIDC RP: does not check the idtoken for an acr value when auth endpoint includes "acr_values"
PH19189: OIDC RP: cannot send a nonce parameter to an OP
PH19333: OIDC RP: unable to override the realm name in an idtoken
PH19907: OIDC RP: login fails when createSession=true and http sessions are exhausted
PH20118: OIDC RP: do require scope claim on response from OP
PH21008: The TAI is not enabled when any provider config fails to initialize
PH21178: OIDC RP: access token refresh might be erroneously attempted
PH21611: OIDC RP: might attempt to refresh access tokens that are not expired
PH21827: OIDC RP: NotSerializableException for JwtClaims error might occur
PH22038: OIDC RP: session cookie name is related to provider_<id>.clientId instead of provider_<id>.identifier
PH22195: OIDC RP: enable use OpenID provider's well-known configuration url (discovery)
PH22621: OIDC RP: add programmatic support for grant_type = client_credentials
PH23572: OIDC RP: code flow cannot be used when JavaScript is not enabled
PH23697: OIDC RP: add rs512 signature algorithm
PH24737: OIDC RP: make the introspection response available with an API
PH25547: OIDC RP: incorrect behavior when opaque token is in authorization header and useJwtFromRequest=ifPresent
PH25697: OIDC RP: sessionCacheTimeoutMinutes=0 is not overriding idtoken exp claim
PH25774: OIDC RP: session cookie value is too short
PH26523: OIDC RP: allow call to userinfo endpoint to be not active
PH26925: OIDC RP: generates JavaScript with extra 'end-script' to send to OP
PH27173: OIDC RP: login might fail when nonce is enabled
PH27213: OIDC RP: provide an option to not write an LTPA cookie in the OIDC path
PH27514: OIDC RP: add basic auth support for the JWK endpoint
PH27827: OIDC RP: support unique clientId and clientSecret for introspection endpoint
PH27971: OIDC RP: make end session endpoint available with an API
PH28253: OIDC RP: intercept callback from OP without special filter config
PH28386: OIDC RP: provide an option to validate a JWT access token
PH28534: OIDC RP: do not load config entry when there is no filter defined
PH29099: OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
PH30368: OIDC RP might not delete session cookie when SameSite cookie policy=lax
PH30911: OIDC RP: allow a resource parameter to be sent to the token and authorize endpoints
PH31682: OIDC RP might not load config from a nondefault security domain
PH32257: NotSerializableException when accessTokenIsJwt=true
PH33170: JWT authentication that uses custom cache key might be slow
PH34227: OIDC RP: support the basic_start_authorization scope
PH34840: OIDC RP: make the state parameter alphanumeric
PH35185: OIDC RP: authentication might fail with CWTAI2007e saying a nonce claim is required when the nonce is present
PH35481: OIDC APIs might not find an idToken token on the runAs subject
PH36335: OIDC: Add support for encrypted JWT (JWE) and idTokens
PH39666: OIDC RP: Initial login might fail when the OIDC stateId contains special characters
PH39847: OIDC RP: entry is never removed from cache when initial login is through introspection
PH40532: OIDC TAI might not remove OAuth access token cache entries
PH40533: OIDC TAI might encounter a thread hang when sessions are removed from the local cache
PH43169: OidcClientHelper.getAccessTokenFromSubject() might return null when using JWT Authentication
PH44467: OIDC TAI: add ability to filter requests based on the iss claim in the JWT
PH44692: OIDC: add methods to the OidcClientHelper api to verify JWTs
PH45044: OIDC add ability to turn off revoke endpoint
PH45297: OIDC: introspection requests might fail after access token is refreshed
PH45740: OIDC: setting signatureAlgorithm to none results in error
PH46324: OIDC: CWTAI2047E error occurs when no kid claim in the JWT header
PH46408: OIDC: getValidAccessToken might fail with IllegalArgumentException
PH47272: OIDC: add ability to not require setting the signatureAlgorithm property
PH47482: OIDC: add value to the useRealm property to mean `default realm name`
PH48083: OIDC RP: update the OIDC RP to log out from an OP with RP-Initiated logout
PH49279: OIDC: add regex and logical OR support to the filter property
PH49566: OIDC: CWTAI2047E when more than one key without alg claim in JWK in 9.0.5.13
 
  • image 12799JAVA™ 7 OR LATER IS REQUIRED

    The OIDC v1.4.0 runtime on this page requires the use of Java version 7 or later:

    • The PH49566 interim fix for WebSphere traditional v8.5.5 installs on any fix pack to which it applies.
    • When an application server is running Java 6 or earlier:
      • The OpenID Connect (OIDC) Relying Party (RP) TAI is not initialized when the server is started.
      • When the OIDC TAI was configured to intercept requests previous to installing PH49566, after installing PH49566, your previously intercepted requests will be redirected to the default form login.

  • image 12799 PREREQ APAR FIXES
    The v8.5.5 interim fix that is provided on this page prereqs the PI57465 enablement fix. For convenience, the interim fix files for PI57465 are packaged into v8.5.5 interim fix for APAR PH49566.
    If you do not already have an interim fix for PI57465 installed and you are installing on 8.5.5.9 or earlier, you are required to install the interim fix for PI57465:

    • When you are using the IBM Installation Manager GUI to install the fixes, the fix for PI57465 appears as a separate line-item that you must select. For instance, here is an example of what you might see when you attempt to install on WebSphere 8.5.5.4:
      image 12790
    • If the fix for PI57465 doesn't display, clear 'Show recommended only'
      image 12791
    • If you are using the Installation Manager imcl command to install the fix, you must specify the fix name for the appropriate PI57465 fix.
      • To see example imcl commands and the names of the PI57465 fixes included in the PH49566 interim fixes, see the COMMAND LINE INSTALLATION section of this document.

    You do not need to install an interim fix for the prereq APAR PI57465 on v9.0 or 8.5.5.10 or later because PI57465 is included in those fix packs.
     

  • LIVE SERVICE REPOSITORY INSTALLATION
    If you are installing by using the IBM Installation Manager GUI, you can install an interim fix for PH49566 from the IBM live service repository instead of downloading it.  Do the following actions in the Installation Manager:

    1. Select File > Preferences
    2. Click 'Repositories' from the list on the left
    3. Make sure that ' Search service repositories during installation and updates' is selected:
      image 12792
    4. Click OK
    5. Make sure that 'Update all packages with recommended updates and recommended fixes' is not selected:
      image 12793
    6. Choose the WebSphere instance that you want to update.
    7. Click Next
      • If prompted, enter your IBMid and password
      • If you are not at the most recent fix pack level, the Update Packages window displays with the most recent fix pack preselected, for example:
        image 12794
    8. Do the following steps:
      • If you are at the most recent fix pack level, do the following:
        1. Select 'Show recommended only'.
        2. Clear any recommended update that you do not want to install.
          • Make sure that you do not clear the update for PH49566.
        3. Click Next
        4. Click Update
      • If you are not at the most recent fix pack level, do the following:
        1. Do the following actions based on whether you want to also update your fix pack level:
          • If you want to update to the most recent fix pack level, do the following:
            1. Click Next
            2. Go back and complete the previous steps as if you are at the most recent fix pack level.
          • If you want to update your fix pack to a level that is not the most recent, do the following:
            1. Clear 'Show recommended only'.
            2. Select the fix pack level that you want to install.
            3. Click Next
          • If you do not want to update your fix pack level, do the following:
            1. Clear 'Show recommended only'.
            2. Select 'Only fixes for version x.x.x.x', where x.x.x.x is your version and fix pack, for example:
              image 12797
            3. Click Next
            4. Clear any recommended update that you do not want to install.
              • Make sure that you do not clear the update for PH49566, for example.
            5. If you are installing on fix packs 8.5.5.3 through 8.5.5.9 and you do not have interim fix for the prerequisite APAR PI57465 installed, an error that says 'APAR PI57465 is required by x.x.x.x-WS-WASProd-IFPH49566' appears, for example:
              image 12798
              If you see this error, do the following:
              1. Clear 'Show recommended only'.
              2. Scan through the list to find the entry for PI57465 and select it, for example:
                image 12795
                For a list of the fix names for PI57465, see the COMMAND LINE INSTALLATION section.
            6. Click Next
            7. Click Update
  • COMMAND LINE INSTALLATION
    The fixes for PH49566 are installed by using the IBM Installation Manager. You can use the Installation Manager imcl command to install an interim fix from the command prompt.

    When you install an interim fix from the command prompt, you need to know the name of the fix that is contained within the interim fix file. The following table lists the fixes that are contained in each interim fix file for PH49566. For convenience, the fixes for the prerequisite APAR PI57465 are packaged into the interim fix file v8.5.5.

    Interim fix file
    Fix names
    Fix packs
    8.5.5.3-WS-WASProd-IFPH49566.zip 8.5.5.3-WS-WASProd-IFPH49566_8.5.5003.20220919_1955 8.5.5.3 through
    8.5.5.22
    8.5.5.3-WS-WASProd-IFPI57465_8.5.5003.20160623_1218 8.5.5.3 only
    8.5.5.4-WS-WASProd-IFPI57465_8.5.5004.20160623_1211 8.5.5.4 through
    8.5.5.5
    8.5.5.6-WS-WASProd-IFPI57465_8.5.5006.20160623_1208 8.5.5.6 only
    8.5.5.7-WS-WASProd-IFPI57465_8.5.5007.20160623_1202 8.5.5.7 through
    8.5.5.9
    9.0.0.0-WS-WASProd-IFPH49566.zip 9.0.0.0-WS-WASProd-IFPH49566_9.0.0.20220919_1843 9.0.0.0 through
    9.0.5.13
      Example commands:
    • Installation of PH49566 only:
      The following example shows how you can install on an 8.5.5 fix pack that includes PI57465 (8.5.5.10 or later).  If you previously installed an interim fix for PI57465, you can also use this command on 8.5.5.3 through 8.5.5.9.
       
      ./imcl install 8.5.5.3-WS-WASProd-IFPH49566_8.5.5003.20220919_1955 -installationDirectory /opt/IBM/WebSphere/AppServer -repositories /tmp/ifixes/8.5.5.3-WS-WASProd-IFPH49566.zip
    • Installation of PH49566 and PI57465:
      If you do not already have an interim fix for the prereq APAR PI57465 installed, the following example shows how you can install on 8.5.5.7 through 8.5.5.9 using imcl:
       
      ./imcl install 8.5.5.7-WS-WASProd-IFPI57465_8.5.5007.20160623_1202 8.5.5.3-WS-WASProd-IFPH49566_8.5.5003.20220919_1955 -installationDirectory /opt/IBM/WebSphere/AppServer -repositories /tmp/ifixes/8.5.5.3-WS-WASProd-IFPH49566.zip

    IBM Documentation references:
    Installing interim fixes on distributed operating systems by using the command line
    Command line arguments for the imcl command

     
  • SUPERSEDED APAR FIXES
    The fixes for PH49566 on this page supersede the fixes published for PI47460, PI55697, PI64573, PI65751, PI74857, PI80317, PI82308PI96508PI82308PH08804PH13175PH21827, PH29099, and PH39666. Those fixes are removed from their pages and are replaced by these fixes for PH49566.

    Since the fixes for PH49566 included on this page supersede the fixes for PI47460, PI55697, PI64573, PI65751, PI74857, PI80317, PI82308, PI96508, PH08804, PH13175, PH21827, PH29099, PH39666 the Installation Manager allows it to be installed on top of any of those fixes. It is up to you to decide to uninstall or any or all of those fixes before you install a fix for PH49566.
  • APPLICABLE FIX PACKS
    The OpenID Connect feature of WebSphere Application Server v855 is supported starting in fix pack 8.5.5.3.  Therefore, this APAR does not apply to, nor are interim fixes available for fix packs 8.5.5.0 through 8.5.5.2.

     

Keywords: IBMWL3WSS, OIDC, INTERIMFIX

Prerequisites

PI57465 (only for 8.5.5.9 or earlier)

Installation Instructions

Review the readme.txt for detailed installation instructions.

URL SIZE(Bytes)
V85 readme file 8065
V90 readme file 7925
.

Download Package

DOWNLOAD RELEASE DATE SIZE(Bytes)

DOWNLOAD Options

What is Fix Central(FC)?

8.5.5.3-WS-WASProd-IFPH49566 09-21-2022 4494531 FC
9.0.0.0-WS-WASProd-IFPH49566 09-21-2022 4061208 FC
.

Problems Solved

PH49566

Off

Document Location

Worldwide

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000CdESAA0","label":"Security-\u003ESSO-\u003EOpenId Connect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5.5;9.0.0;9.0.5"}]

Problems (APARS) fixed
PI23430;PI25298;PI25681;PI33449;PI37687;PI47460;PI52604;PI55697;PI56331;PI59831;PI63906;PI64573;PI64924;PI65751;PI73318;PI74857;PI75095;PI78336;PI80317;PI80543;PI80549;PI82308;PI84244;PI86752;PI87354;PI88253;PI88896;PI90373;PI92210;PI92332;PI94538;PI96508;PI96403;PH00569;PH02192;PH03525;PH07297;PH08804;PH10503;PH10892;PH11107;PH11684;PH12520;PH13175;PH14676;PH15248;PH15626;PH17304;PH18150;PH19189;PH19333;PH19907;PH20118;PH21008;PH21178;PH21611;PH21827;PH22038;PH22195;PH22621;PH23572;PH23697;PH24737;PH25547;PH25697;PH25774;PH26523;PH26925;PH27173;PH27213;PH27514;PH27827;PH27971;PH28253;PH28386;PH28534;PH29099;PH30368;PH30911;PH31682;PH32257;PH33170;PH34227;PH34840;PH35185;PH35481;PH39666;PH39847;PH40532;PH40533;PH43169;PH44467;PH44692;PH45044;PH45297;PH45740;PH46324;PH46408;PH47272;PH47482;PH48083;PH49279;PH49566

Document Information

Modified date:
22 September 2022

UID

ibm16621159