APAR status
Closed as program error.
Error description
Error Message: CWWSS5514E: An exception while processing WS-Security message: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target. . Stack Trace: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target at com.ibm.wsspi.wssecurity.core.SoapSecurityException.format(SoapS ecurityException.java:138) at com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer.getS oapSecurityException(CommonTokenConsumer.java:592) at com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer.invo ke(CommonTokenConsumer.java:431) at com.ibm.ws.wssecurity.core.WSSConsumer.callTokenConsumer(WSSCons umer.java:2563) at com.ibm.ws.wssecurity.core.WSSConsumer.callTokenConsumer(WSSCons umer.java:2382) at com.ibm.ws.wssecurity.core.WSSConsumer.invoke(WSSConsumer.java:8 21) at com.ibm.ws.wssecurity.handler.WSSecurityConsumerBase.invoke(WSSe curityConsumerBase.java:110) at com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler._invoke( WSSecurityConsumerHandler.java:537) at com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler.access$1 00(WSSecurityConsumerHandler.java:127) at com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1.run(WS SecurityConsumerHandler.java:191) at com.ibm.ws.security.context.ContextImpl.runWith(ContextImpl.java :363) at com.ibm.ws.wssecurity.platform.websphere.auth.WSSContextImpl.run With(WSSContextImpl.java:66) at com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$2.run(WS SecurityConsumerHandler.java:197) at java.security.AccessController.doPrivileged(AccessController.jav a:734) at com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler.invoke(W SSecurityConsumerHandler.java:195) at org.apache.axis2.handlers.AbstractHandler.invoke_stage2(Abstract Handler.java:133) at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:343) at org.apache.axis2.engine.Phase.invoke(Phase.java:313) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:372) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:199) at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPo stRequest(HTTPTransportUtils.java:172) at com.ibm.ws.websvcs.transport.http.WASAxis2Servlet.doPost(WASAxis 2Servlet.java:1632) at javax.servlet.http.HttpServlet.service(HttpServlet.java:595) at javax.servlet.http.HttpServlet.service(HttpServlet.java:668) at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWr apper.java:1233) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(Ser vletWrapper.java:782) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(Ser vletWrapper.java:481) at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest (ServletWrapperImpl.java:178) at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters (WebAppFilterManager.java:1114) at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java: 4047) at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.j ava:304) at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer. java:1016) at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContai ner.java:1817) at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLin k.java:213) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscr imination(HttpInboundLink.java:463) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRe quest(HttpInboundLink.java:530) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequ est(HttpInboundLink.java:316) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpI nboundLink.java:287) at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sen dToDiscriminators(NewConnectionInitialReadCallback.java:214) at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.com plete(NewConnectionInitialReadCallback.java:113) at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureComp leted(AioReadCompletionListener.java:175) at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyn cFuture.java:217) at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncC hannelFuture.java:161) at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138) at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204) at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHand ler.java:775) at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905) at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1892) Caused by: javax.security.auth.login.LoginException: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target at com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule.v alidateX509(X509ConsumeLoginModule.java:1361) at com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule.p rocessElement(X509ConsumeLoginModule.java:1167) at com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule.l ogin(X509ConsumeLoginModule.java:321) at com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer.invo ke(CommonTokenConsumer.java:324) ... 45 more Caused by: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target at com.ibm.security.cert.SunCertPathBuilder.buildCertPath(SunCertPa thBuilder.java:165) at com.ibm.security.cert.SunCertPathBuilder.build(SunCertPathBuilde r.java:129) at com.ibm.security.cert.SunCertPathBuilder.engineBuild(SunCertPath Builder.java:124) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:29 2) at com.ibm.ws.wssecurity.util.CertificateUtil.buildCertPath(Certifi cateUtil.java:1163) at com.ibm.ws.wssecurity.util.CertificateUtil.validateX509Certifica te(CertificateUtil.java:991) at com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule.v alidateX509(X509ConsumeLoginModule.java:1337) ... 48 more Caused by: java.security.cert.CertPathValidatorException: Cannot find the responder's certificate (set using the OCSP security properties). at com.ibm.security.cert.RevocationChecker.getResponderCert(Revocat ionChecker.java:296) at com.ibm.security.cert.RevocationChecker.getResponderCert(Revocat ionChecker.java:240) at com.ibm.security.cert.RevocationChecker.getResponderCert(Revocat ionChecker.java:216) at com.ibm.security.cert.RevocationChecker.init(RevocationChecker.j ava:105) at com.ibm.security.cert.RevocationChecker.<init>(RevocationChecker .java:94) at com.ibm.security.cert.SunCertPathBuilder.depthFirstSearchForward (SunCertPathBuilder.java:393) at com.ibm.security.cert.SunCertPathBuilder.depthFirstSearchForward (SunCertPathBuilder.java:530) at com.ibm.security.cert.SunCertPathBuilder.buildForward(SunCertPat hBuilder.java:223) at com.ibm.security.cert.SunCertPathBuilder.buildCertPath(SunCertPa thBuilder.java:158) ... 54 more .
Local fix
If using the OCSP Security properties found within the java.security file, then ensure the values specified have meaningful values. The commented out values found within the java.security file are not meaningful. They are illustrative only.
Problem summary
The failing test cases were using the the OCSP Security properties shown below. The value of each was the same as the illustrative value found within the java.security file. These values were never meant to be used. ocsp.responderURL=http://ocsp.example.net:80 ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp" ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp" ocsp.responderCertSerialNumber=2A:FF:00
Problem conclusion
Defensive logic has been added to the CerPath provider (ibmcertpathprovider.jar) to help protect against invalid OCSP Security property settings such as the one described. The affected jar file is: ibmcertpathprovider.jar The associated Hursley RTC Problem Report is: 143043 The associated Austin Git issue is Issue#16 for the CertPath component. JVMs affected include: Java 8.0 The fix was delivered for Java 8.0 sr6 fp7 (cr20_01_u2). The build level of the ibmcertpathprovider.jar delivered for Java 8.0 is 20200214-60. . This APAR will be fixed in the following Java Releases: 8 SR6 FP7 (8.0.6.7) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IJ22800
Reported component name
SECURITY
Reported component ID
620700125
Reported release
270
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-02-14
Closed date
2020-02-28
Last modified date
2020-02-28
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020