Fixes are available
17.0.0.2: WebSphere Application Server Liberty 17.0.0.2
17.0.0.3: WebSphere Application Server Liberty 17.0.0.3
17.0.0.4: WebSphere Application Server Liberty 17.0.0.4
18.0.0.1: WebSphere Application Server Liberty 18.0.0.1
18.0.0.2: WebSphere Application Server Liberty 18.0.0.2
18.0.0.3: WebSphere Application Server Liberty 18.0.0.3
18.0.0.4: WebSphere Application Server Liberty 18.0.0.4
19.0.0.1: WebSphere Application Server Liberty 19.0.0.1
19.0.0.2: WebSphere Application Server Liberty 19.0.0.2
19.0.0.3: WebSphere Application Server Liberty 19.0.0.3
19.0.0.4: WebSphere Application Server Liberty 19.0.0.4
19.0.0.5: WebSphere Application Server Liberty 19.0.0.5
19.0.0.6: WebSphere Application Server Liberty 19.0.0.6
19.0.0.7: WebSphere Application Server Liberty 19.0.0.7
19.0.0.8: WebSphere Application Server Liberty 19.0.0.8
19.0.0.9: WebSphere Application Server Liberty 19.0.0.9
19.0.0.10: WebSphere Application Server Liberty 19.0.0.10
19.0.0.11: WebSphere Application Server Liberty 19.0.0.11
19.0.0.12: WebSphere Application Server Liberty 19.0.0.12
20.0.0.1: WebSphere Application Server Liberty 20.0.0.1
20.0.0.2: WebSphere Application Server Liberty 20.0.0.2
20.0.0.3: WebSphere Application Server Liberty 20.0.0.3
20.0.0.4: WebSphere Application Server Liberty 20.0.0.4
20.0.0.5: WebSphere Application Server Liberty 20.0.0.5
20.0.0.6: WebSphere Application Server Liberty 20.0.0.6
20.0.0.7: WebSphere Application Server Liberty 20.0.0.7
20.0.0.8: WebSphere Application Server Liberty 20.0.0.8
20.0.0.9: WebSphere Application Server Liberty 20.0.0.9
20.0.0.10: WebSphere Application Server Liberty 20.0.0.10
20.0.0.11: WebSphere Application Server Liberty 20.0.0.11
20.0.0.12: WebSphere Application Server Liberty 20.0.0.12
21.0.0.3: WebSphere Application Server Liberty 21.0.0.3
21.0.0.4: WebSphere Application Server Liberty 21.0.0.4
21.0.0.5: WebSphere Application Server Liberty 21.0.0.5
21.0.0.6: WebSphere Application Server Liberty 21.0.0.6
21.0.0.7: WebSphere Application Server Liberty 21.0.0.7
21.0.0.8: WebSphere Application Server Liberty 21.0.0.8
21.0.0.9: WebSphere Application Server Liberty 21.0.0.9
21.0.0.1: WebSphere Application Server Liberty 21.0.0.1
21.0.0.2: WebSphere Application Server Liberty 21.0.0.2
21.0.0.10: WebSphere Application Server Liberty 21.0.0.10
21.0.0.11: WebSphere Application Server Liberty 21.0.0.11
21.0.0.12: WebSphere Application Server Liberty 21.0.0.12
22.0.0.1: WebSphere Application Server Liberty 22.0.0.1
22.0.0.2: WebSphere Application Server Liberty 22.0.0.2
22.0.0.3: WebSphere Application Server Liberty 22.0.0.3
22.0.0.4: WebSphere Application Server Liberty 22.0.0.4
APAR status
Closed as program error.
Error description
In WebSphere Liberty 17.0.0.1, if a user attempts to invoke a remote HTTPS service using the JAX-RS 2.0 client APIs, and they have the ssl-1.0 feature enabled in server configuration, but do not have any SSL configuration, then the invocation may fail, and the user may see a warning in the logs like this: [3/14/17 13:42:55:957 CDT] 00000035 m.ibm.ws.jaxrs.2.0.common:1.0.16.cl17012017 0227-0220(id=83)] W Interceptor for {https://testserver.internal.ibm.com}WebCli ent has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: Could not send Message. at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageS enderEnd ingInterceptor.handleMessage(MessageSenderInterceptor.java:6 4) ... at java.lang.Thread.run(Thread.java:745) Caused by: java.io.IOException: IOException invoking https://asset-websphere.ib m.com: SSLSocketFactory creation fails as the SSL configuration reference "null " is invalid. at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Nativ e Method ... at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageS enderEnd ingInterceptor.handleMessage(MessageSenderInterceptor.java:6 2) ... 58 more Caused by: java.io.IOException: SSLSocketFactory creation fails as the SSL conf iguration reference "null" is invalid. at com.ibm.ws.jaxrs20.appsecurity.security.JaxRsProxySSLSocketF actory.c reateSocket(JaxRsProxySSLSocketFactory.java:80) ... at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea m.close( HTTPConduit.java:1348) ... 61 more This occurs because the JAX-RS framework in the Liberty server is unable to find the SSL configuration, since none is specified. In previous releases of WebSphere Liberty, the JAX-RS framework would use the default configuration as provided by the JVM.  
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server Liberty - JAX-RS * **************************************************************** * PROBLEM DESCRIPTION: JAX-RS 2.0 Client calls fail when ssl- * * 1.0 feature is enabled without any SSL * * configuration. * **************************************************************** * RECOMMENDATION: * **************************************************************** In WebSphere Liberty 17.0.0.1, if a user attempts to invoke a remote HTTPS service using the JAX-RS 2.0 client APIs, and they have the ssl- 1.0 feature enabled in server configuration, but do not have any SSL configuration, then the invocation may fail, and the user may see a warning in the logs like this: [3/14/17 13:42:55:957 CDT] 00000035 m.ibm.ws.jaxrs.2.0.common:1.0.16.cl17012017 0227-0220(id=83)] W Interceptor for {https://testserver.internal.ibm.com}WebCli ent has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: Could not send Message. at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSende rEnd ingInterceptor.handleMessage(MessageSenderInterceptor.java:64) ... at java.lang.Thread.run(Thread.java:745) Caused by: java.io.IOException: IOException invoking https://asset-websphere.ib m.com: SSLSocketFactory creation fails as the SSL configuration reference "null " is invalid. at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method ... at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSende rEnd ingInterceptor.handleMessage(MessageSenderInterceptor.java:62) ... 58 more Caused by: java.io.IOException: SSLSocketFactory creation fails as the SSL conf iguration reference "null" is invalid. at com.ibm.ws.jaxrs20.appsecurity.security.JaxRsProxySSLSocketFacto ry.c reateSocket(JaxRsProxySSLSocketFactory.java:80) ... at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.cl ose( HTTPConduit.java:1348) ... 61 more This occurs because the JAX-RS framework in the Liberty server is unable to find the SSL configuration, since none is specified. In previous releases of WebSphere Liberty, the JAX-RS framework would use the default configuration as provided by the JVM.
Problem conclusion
The fix for this APAR will detect the case where the ssl-1.0 feature is enabled, but no SSL configuration is provided in the server configuration. When that case is detected, the JAX-RS framework will use the JVM's default SSL configuration. The fix for this APAR is currently targeted for inclusion in fix pack 17.0.0.2. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
There are three known workarounds for this problem: 1) Remove the ssl-1.0 feature from the featureManager element in the server's configuration (server.xml, etc.). JAX-RS Client calls will use the JVM's SSL configuration. 2) Add a default SSL configuration to your server's configuration. For example: <ssl id="defaultSSLConfig" keyStoreRef="clientKeyStore" trustStoreRef="cli entTrustStore" /> <keyStore id="clientKeyStore" location="/path/to/key.jks" type="JKS" passw ord="myPassword" /> <keyStore id="clientTrustStore" location="/path/to/trust.jks" type="JKS" password="myPassword" /> 3) Modify the JAX-RS client code to specify a default SSL context. Ex: ClientBuilder cb = ClientBuilder.newBuilder(); cb.sslContext(SSLContext.getDefault()); Client c = cb.build();
Comments
APAR Information
APAR number
PI79275
Reported component name
WAS LIBERTY COR
Reported component ID
5725L2900
Reported release
CD0
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-04-03
Closed date
2017-04-13
Last modified date
2017-04-13
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WAS LIBERTY COR
Fixed component ID
5725L2900
Applicable component levels
RCD0 PSY
UP
Document Information
Modified date:
03 May 2022