PI79275: JAX-RS 2.0 Client calls fail when ssl-1.0 feature is enabled without any SSL configuration.

Fixes are available

APAR status

Closed as program error.

Error description

In WebSphere Liberty 17.0.0.1, if a user attempts to invoke
a remote HTTPS
service using the JAX-RS 2.0 client APIs, and they have the
ssl-1.0 feature
enabled in server configuration, but do not have any SSL
configuration, then
the invocation may fail, and the user may see a warning in
the logs like this:

[3/14/17 13:42:55:957 CDT] 00000035
m.ibm.ws.jaxrs.2.0.common:1.0.16.cl17012017
0227-0220(id=83)] W Interceptor for
{https://testserver.internal.ibm.com}WebCli
ent has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Could not send Message.
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageS
enderEnd
ingInterceptor.handleMessage(MessageSenderInterceptor.java:6
4)
...
    at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: IOException invoking
https://asset-websphere.ib
m.com: SSLSocketFactory creation fails as the SSL
configuration reference "null
" is invalid.
at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Nativ
e Method
...
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageS
enderEnd
ingInterceptor.handleMessage(MessageSenderInterceptor.java:6
2)
    ... 58 more
Caused by: java.io.IOException: SSLSocketFactory creation
fails as the SSL conf
iguration reference "null" is invalid.
at
com.ibm.ws.jaxrs20.appsecurity.security.JaxRsProxySSLSocketF
actory.c
reateSocket(JaxRsProxySSLSocketFactory.java:80)
...
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
m.close(
HTTPConduit.java:1348)
    ... 61 more

This occurs because the JAX-RS framework in the Liberty
server is unable to
find the SSL configuration, since none is specified.  In
previous releases of
WebSphere Liberty, the JAX-RS framework would use the
default configuration as
provided by the JVM.
&#160;

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server Liberty - JAX-RS                     *
****************************************************************
* PROBLEM DESCRIPTION: JAX-RS 2.0 Client calls fail when ssl-  *
*                      1.0 feature is enabled without any SSL  *
*                      configuration.                          *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
In WebSphere Liberty 17.0.0.1, if a user attempts to invoke a
remote HTTPS
service using the JAX-RS 2.0 client APIs, and they have the ssl-
1.0 feature
enabled in server configuration, but do not have any SSL
configuration, then
the invocation may fail, and the user may see a warning in the
logs like this:

[3/14/17 13:42:55:957 CDT] 00000035
m.ibm.ws.jaxrs.2.0.common:1.0.16.cl17012017
0227-0220(id=83)] W Interceptor for
{https://testserver.internal.ibm.com}WebCli
ent has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Could not send Message.
	at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSende
rEnd
ingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
...
	at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: IOException invoking
https://asset-websphere.ib
m.com: SSLSocketFactory creation fails as the SSL configuration
reference "null
" is invalid.
	at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method
...
	at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSende
rEnd
ingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
	... 58 more
Caused by: java.io.IOException: SSLSocketFactory creation fails
as the SSL conf
iguration reference "null" is invalid.
	at
com.ibm.ws.jaxrs20.appsecurity.security.JaxRsProxySSLSocketFacto
ry.c
reateSocket(JaxRsProxySSLSocketFactory.java:80)
...
	at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.cl
ose(
HTTPConduit.java:1348)
	... 61 more

This occurs because the JAX-RS framework in the Liberty server
is unable to
find the SSL configuration, since none is specified.  In
previous releases of
WebSphere Liberty, the JAX-RS framework would use the default
configuration as
provided by the JVM.

Problem conclusion

The fix for this APAR will detect the case where the ssl-1.0
feature is enabled, but no SSL configuration is provided in the
server configuration.  When that case is detected, the JAX-RS
framework will use the JVM's default SSL configuration.

The fix for this APAR is currently targeted for inclusion in fix
pack 17.0.0.2.  Please refer to the Recommended Updates page for
delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

There are three known workarounds for this problem:
1) Remove the ssl-1.0 feature from the featureManager element in
the server's
configuration (server.xml, etc.).  JAX-RS Client calls will use
the JVM's SSL
configuration.
2) Add a default SSL configuration to your server's
configuration.  For
example:
     <ssl id="defaultSSLConfig" keyStoreRef="clientKeyStore"
trustStoreRef="cli
entTrustStore" />
     <keyStore id="clientKeyStore" location="/path/to/key.jks"
type="JKS" passw
ord="myPassword" />
     <keyStore id="clientTrustStore"
location="/path/to/trust.jks" type="JKS"
password="myPassword" />
3) Modify the JAX-RS client code to specify a default SSL
context.  Ex:
        ClientBuilder cb = ClientBuilder.newBuilder();
        cb.sslContext(SSLContext.getDefault());
        Client c = cb.build();

Comments

APAR Information

APAR number
PI79275
Reported component name
WAS LIBERTY COR
Reported component ID
5725L2900
Reported release
CD0
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-04-03
Closed date
2017-04-13
Last modified date
2017-04-13

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WAS LIBERTY COR
Fixed component ID
5725L2900

Applicable component levels

RCD0 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSD28V","label":"WebSphere Application Server Liberty Core"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"CD0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
03 May 2022

Tips

PI79275: JAX-RS 2.0 Client calls fail when ssl-1.0 feature is enabled without any SSL configuration.

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

RCD0 PSY

Document Information

Share your feedback

Need support?