Download
Abstract
Ship JDK IJ22800 as an iFix for WAS v8.5.5.x and Java 8 SR6 (replaces PH22381)
Download Description
NOTE: This ifix replaces PH22381.
PH22381 may not install correctly on one WebSphere fix pack, 8.5.5.16.
If you have installed PH22381 on any WebSphere fix pack except 8.5.5.16, there's no need to uninstall it and apply this ifix as the contents are identical.
ERROR DESCRIPTION:
WebSphere fails to successfully validate a certificate chain using the CertPath security component.
The following stack trace may be seen:
com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target
at com.ibm.wsspi.wssecurity.core.SoapSecurityException.format(SoapSecurityException.java:138)
at com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer.getSoapSecurityException(CommonTokenConsumer.java:592)
at com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer.invoke(CommonTokenConsumer.java:431)
at com.ibm.ws.wssecurity.core.WSSConsumer.callTokenConsumer(WSSConsumer.java:2563)
at com.ibm.ws.wssecurity.core.WSSConsumer.callTokenConsumer(WSSConsumer.java:2382)
at com.ibm.ws.wssecurity.core.WSSConsumer.invoke(WSSConsumer.java:821)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerBase.invoke(WSSecurityConsumerBase.java:110)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler._invoke(WSSecurityConsumerHandler.java:537)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler.access$100(WSSecurityConsumerHandler.java:127)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1.run(WSSecurityConsumerHandler.java:191)
at com.ibm.ws.security.context.ContextImpl.runWith(ContextImpl.java:363)
at com.ibm.ws.wssecurity.platform.websphere.auth.WSSContextImpl.runWith(WSSContextImpl.java:66)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$2.run(WSSecurityConsumerHandler.java:197)
at java.security.AccessController.doPrivileged(AccessController.java:734)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler.invoke(WSSecurityConsumerHandler.java:195)
at org.apache.axis2.handlers.AbstractHandler.invoke_stage2(AbstractHandler.java:133)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:343)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:372)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:199)
at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
at com.ibm.ws.websvcs.transport.http.WASAxis2Servlet.doPost(WASAxis2Servlet.java:1632)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:595)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1233)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:782)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:481)
at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:178)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1114)
at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:4047)
at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:304)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1016)
at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:213)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:463)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:530)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:316)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:287)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1892)
Caused by: javax.security.auth.login.LoginException: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target
at com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule.validateX509(X509ConsumeLoginModule.java:1361)
at com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule.processElement(X509ConsumeLoginModule.java:1167)
at com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule.login(X509ConsumeLoginModule.java:321)
at com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer.invoke(CommonTokenConsumer.java:324)
... 45 more
Caused by: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target
at com.ibm.security.cert.SunCertPathBuilder.buildCertPath(SunCertPathBuilder.java:165)
at com.ibm.security.cert.SunCertPathBuilder.build(SunCertPathBuilder.java:129)
at com.ibm.security.cert.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:124)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:292)
at com.ibm.ws.wssecurity.util.CertificateUtil.buildCertPath(CertificateUtil.java:1163)
at com.ibm.ws.wssecurity.util.CertificateUtil.validateX509Certificate(CertificateUtil.java:991)
at com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule.validateX509(X509ConsumeLoginModule.java:1337)
... 48 more
Caused by: java.security.cert.CertPathValidatorException: Cannot find the responder's certificate (set using the OCSP security properties).
at com.ibm.security.cert.RevocationChecker.getResponderCert(RevocationChecker.java:296)
at com.ibm.security.cert.RevocationChecker.getResponderCert(RevocationChecker.java:240)
at com.ibm.security.cert.RevocationChecker.getResponderCert(RevocationChecker.java:216)
at com.ibm.security.cert.RevocationChecker.init(RevocationChecker.java:105)
at com.ibm.security.cert.RevocationChecker.<init>(RevocationChecker.java:94)
at com.ibm.security.cert.SunCertPathBuilder.depthFirstSearchForward(SunCertPathBuilder.java:393)
at com.ibm.security.cert.SunCertPathBuilder.depthFirstSearchForward(SunCertPathBuilder.java:530)
at com.ibm.security.cert.SunCertPathBuilder.buildForward(SunCertPathBuilder.java:223)
at com.ibm.security.cert.SunCertPathBuilder.buildCertPath(SunCertPathBuilder.java:158)
... 54 more
LOCAL FIX:
None
PROBLEM SUMMARY:
WebSphere fails to successfully validate a certificate chain using the CertPath security component.
USERS AFFECTED:
IBM WebSphere Application Server traditional v8.5.x.x Java 8 SR6 users.
RECOMMENDATION:
Apply this i-fix to your SDK to upgrade or install bundled Java 8 to Java 8 SR6 plus IJ22800.
PROBLEM CONCLUSION:
Applying this i-fix will update the extension offering Java 8 to Java 8 SR6 plus IJ22800.
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
10 March 2020
UID
ibm15694909