APAR status
Closed as program error.
Error description
When using the certificate field to pull the${SubjectXX} value from a certificate used for client certificate authentication, multi-valued RDN values are only delimited by the comma ' , ' but the RFC 4514 specifies that a plus sign ' + ' should also be allowed.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: The users of IBM WebSphere Application * * Server who use Standalone LDAP * * configuration and use a certificate that * * includes plus sign(+) to filter. * **************************************************************** * PROBLEM DESCRIPTION: The ${Subject<xx>}filter does not * * handle the blank/space in the Subject * * Distinguished Name if it has a plus * * sign (+). * **************************************************************** * RECOMMENDATION: * **************************************************************** The Standalone LDAP feature provides a built-in filter function. This built-in filter is able to extract a valid component of the Subject Distinguished Name by specifying "${Subject<xx>}" However this function did not work for a specific Subject Name that includes plus sign (+). The RFC 4514 specifies the use of a plus sign (+) in the Subject Name such as "C=US,O=IBMCorp,OU=Cloud,SERIALNUMBER=12345 + CN=TestUser". The plus sign should be handled by the filter when the custom property (security.registry.ldap.compoundRDNParsingEnable) is specified. With the custom property, for the above example Subject Name, the filter ${SubjectSERIALNUMBER} should return "12345" but it returned "12345 " with extra trailing space. As a result, the certificate mapping failed. This APAR is to remove extra trailing spaces. Setting the custom property that handles the plus sign 1. Go to Global security > Standalone LDAP registry 2. There is a custom property field just below the "Ignore case for authorization" checkbox. 3. Set following custom property "security.registry.ldap.compoundRDNParsingEnabled" to true. 4. Restart the server Reference (1) RFC 4514 section 2.2 https://tools.ietf.org/html/rfc4514 (2) IBM Documentation "Configuring Lightweight Directory Access Protocol search filters" https://www.ibm.com/docs/en/was/8.5.5?topic=cldapur-configuring- lightweight-directory-access-protocol-search-filters-1 >> ${Subject<xx>} where <xx> is replaced by the characters that represent any valid component of the Subject Distinguished Name. For example, you might use ${SubjectCN} for the Subject Common Name.
Problem conclusion
The bug has been fixed. The fix for this APAR is targeted for inclusion in fix pack 9.0.5.10 and 8.5.5.21. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH36184
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-04-09
Closed date
2021-10-11
Last modified date
2023-05-26
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
26 May 2023