APAR status
Closed as program error.
Error description
The WS-Security sample keys and certificates that are shipped with WebSphere Application Server v855 and v9 expired on 8/7/2023 and 8/8/2023. The following WS-Security sample keystore and certificate files are affected: dsig-sender.ks dsig-receiver.ks enc-sender.ks enc-receiver.ks intca2.cer An error like the following is logged when one of the expired keys or certificates is used: Exception: javax.xml.ws.soap.SOAPFaultException: java.security.PrivilegedActionException: com.ibm.wsspi.wssecurity.core.SoapSecurityException: security.wssecurity.WSSContextImpl.s02: com.ibm.websphere.security.WSSecurityException: Exception org.apache.axis2.AxisFault: CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS5181E: The following certificate, which is owned by CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP with the soaprequester alias from the c:\was90517\WebSphere\AppServer\profiles\guava/etc/ws-security/s amples/dsig-sender.ks keystore, has expired: java.security.cert.CertificateExpiredException: NotAfter: Tue Aug 08 12:46:30 CDT 2023 ocurred while running action: com.ibm.ws.wssecurity.handler.WSSecurityGeneratorHandler$2@10737 d36 ============================== The signing certificates and encryption keys that are replaced by this APAR are used in the JAX-WS and JAX-RPC Web Services Default Bindings for Web Services Security. They are provided for testing and example purposes only and should not be used on production systems. If you are using the WS-Security sample keys or certificates in production, your services are at risk. See https://www.ibm.com/support/pages/node/7025379 for instructions for remediation. ============================== An ifix to replace the keystores for use with WS-Security configuration tasks in the IBM Documentation can be found at https://www.ibm.com/support/pages/node/7074520
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * **************************************************************** * PROBLEM DESCRIPTION: The keys and certificates in the WS- * * Security sample keystores are expired. * **************************************************************** * RECOMMENDATION: If you are using the keys and certificates * * in production, follow the instructions on * * https://www.ibm.com/support/pages/node/7025 * * 3 * * 79. Otherwise, install a fix pack or * * interim fix that contains this APAR. * **************************************************************** The keys and certificates in the following WS-Security keystores and certificate files are expired.
Problem conclusion
The WS-Security sample keystores are replaced with new keystores with the same name. The new keystores have new keys and certificates that expire in 2080. When a fixpack that contains the new keystores is installed, the keystores are updated in the following directories: (WAS_HOME)/etc/ws-security/samples (WAS_HOME)/profileTemplates/default/documents/etc/ws- security/samples The following files are replaced: dsig-receiver.ks dsig-sender.ks enc-receiver.jceks end-sender.jceks intca2.cer When new profiles are created, the new keystores are used. Since the keystores that are located in existing profiles might be updated after creation, the keystores in existing profiles are not replaced. To replace the keystores in a profile, you must copy the keystores from the (WAS_HOME)/etc/ws-security/samples directory to the (PROFILE_ROOT)/etc/ws-security/samples directory. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.25 and 9.0.5.18. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553 ============================== The signing certificates and encryption keys that are replaced by this APAR are used in the JAX-WS and JAX-RPC Web Services Default Bindings for Web Services Security. They are provided for testing and example purposes only and should not be used on production systems. If you are using the WS-Security sample keys or certificates in production, your services are at risk. See https://www.ibm.com/support/pages/node/7025379 for instructions for remediation. ============================== An ifix to replace the keystores for use with WS-Security configuration tasks in the IBM Documentation can be found at https://www.ibm.com/support/pages/node/7074520
Temporary fix
Comments
APAR Information
APAR number
PH56482
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-08-22
Closed date
2023-10-02
Last modified date
2023-12-08
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
09 December 2023