IBM Support

PH41012: WCT SHOULD BE UPDATED TO CLARIFY THE DEFAULT OF "GENERATE CA CERTIFICATE" CREATES A SELF-SIGNED CERTIFICATE CHAIN.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • WCT - Profile Management Tool (WebSphere Customization Toolkit)
needs to be modified to improve clarity of what
it means to select option "Generate certificate authority
(CA)" on the SSL Customization panel.
If the check box is checked (default), WCT will generate RACF
commands to create self-signed certificate chain. This allows
WAS to have a complete configuration and servers to start
successfully without additional manual steps.
If the check box is unchecked, the user is expected to provide a
valid CA certificate (ex. 3rd party certificate).

The RACF generated certificate is a self-signed certificate
chain and is not recommended for production use.  At any point,
the default config can be updated to use 3rd party certificates.
Some customers reported audit failures if self-signed
certificates are used.

Local fix

  • If needed, the certificates can be updated per IBM
documentation.

Problem summary

  • ****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server                                      *
*                  V8.5, V9.0 for zOS                          *
****************************************************************
* PROBLEM DESCRIPTION: WebSphere Customization Toolkit needs   *
*                      to                                      *
*                      clarify what type of certificate is     *
*                      generated by default.                   *
****************************************************************
* RECOMMENDATION:  If a valid certificate authority (CA)       *
*                  certificate is required, one must be        *
*                  provided                                    *
*                  by the user.                                *
****************************************************************
WebSphere Customization Toolkit needs to be modified to improve
clarity of what it means to select option "Generate certificate
authority (CA)" on the SSL Customization panel.
If the check box is checked (default), WCT will generate RACF
commands to create self-signed certificate chain. This allows
WebSphere Application Server to have a complete configuration
and servers to start successfully without additional manual
steps.
If the check box is unchecked, the user is expected to provide
a
valid CA certificate (ex. 3rd party certificate).
The RACF generated certificate is a self-signed certificate
chain and might not recommended for production use.  At any
point, the default config can be updated to use 3rd party
certificates.
Some customers reported audit failures if self-signed
certificates are used.

Problem conclusion

  • On the SSL Customization panel, modified the option "Generate
certificate authority (CA) certificate" to "Generate a self-
signed certificate chain" to avoid any confusion that a CA
certificate will be generated by default.

The fix for this APAR is targeted for inclusion in fix pack
8.5.5.22 and 9.0.5.12. For more information, see 'Recommended
Updates for WebSphere Application Server':
https://www.ibm.com/support/pages/node/715553

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH41012
    • 

  • Reported component name
    WEBSPHERE FOR Z
    • 

  • Reported component ID
    5655I3500
    • 

  • Reported release
    850
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2021-10-01
    • 

  • Closed date
    2022-05-18
    • 

  • Last modified date
    2022-05-18
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBSPHERE FOR Z
    • 

  • Fixed component ID
    5655I3500
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            19 May 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback