A fix is available
APAR status
Closed as program error.
Error description
An application is deployed to WebSphere secured by SSL. For example, web.xml contains: <transport-guarantee>CONFIDENTIAL</transport-guarantee> The application server virtual hosts contains more than one port that is an SSL port. An example may look like: Virtual Hosts > default_host > Host Aliases * 9080 * 9443 (SSL port - WC_defaulthost_secure) * 80 * 5060 * 5061 (SSL port - SIP_DEFAULTHOST_SECURE) Attempting to invoke the webcontainer non-SSL port 9080 for the application should redirect to the webconatier SSL port 9443 for the application. Working scenario with the example above would cause URL http://hostname:9080/ContextRootWAR/index.html to redirect to: https://hostname:9443/ContextRootWAR/index.html However, the webcontainer non-SSL port 9080 is redirected to a different SSL port 5061 listed in the virtual host alias. A failing scenario with the example above would cause URL http://hostname:9080/ContextRootWAR/index.html to redirect to: https://hostname:5061/ContextRootWAR/index.html causing a failure to load the SSL protected page. Enabling the trace: com.ibm.ws.security.web.*=all prior to invoking the non-SSL URL and searching on the following tracepoints can be used to determine port that is being redirected to. Trace would look like: ----- Trace: 2010/03/10 20:40:40.816 01 t=8CA108 c=UNK key=P8 (13007002) ThreadId: 0000002b FunctionName: Found HTTPS port 5061 in virtual host default_host SourceId: com.ibm.ws.security.web.WebCollaborator Category: FINER ExtendedMessage: Exit Trace: 2010/03/10 20:40:40.817 01 t=8CA108 c=UNK key=P8 (13007002) ThreadId: 0000002b FunctionName: com.ibm.ws.security.web.WebCollaborator SourceId: com.ibm.ws.security.web.WebCollaborator Category: FINEST ExtendedMessage: Redirected to https://host:5061/ContextRootWAR/index.html -------
Local fix
If other SSL ports are not being used in the virtual hosts, specify only one SSL port in the virtual hosts which is the web container SSL port. For example, port 9443 is the only SSL port in tihs example: ---- Virtual Hosts > default_host > Host Aliases * 9080 * 9443 (SSL port - WC_defaulthost_secure) * 80 * 5060 -----
Problem summary
**************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V7.0 * **************************************************************** * PROBLEM DESCRIPTION: For WebSphere Application Server, * * accessing an SSL protected Web * * resource through the non-SSL port * * does not redirect the request using * * the HTTPS port. * **************************************************************** * RECOMMENDATION: * **************************************************************** For WebSphere Application Server, when the transport chain associated with the "WC_defaulthost_secure" port is removed and then added again, an SSL protected resource is not redirected using the SSL port. The first transport chain that contains an SSL channel and that is also in the same virtual host as the non-SSL port is used instead. For example, for the default_host virtual host, Virtual Hosts > default_host > Host Aliases * 9080 * 9443 (SSL port - WC_defaulthost_secure) * 80 * 5060 * 5061 (SSL port - SIP_DEFAULTHOST_SECURE) the SSL port used is 5061 instead of the expected 9443 when redirecting URLs with the non-SSL port 9080.
Problem conclusion
The security code was modified to correctly use HTTPS ports belonging to the Web Container when determining the SSL port to use for redirecting the HTTP request. APAR PM11953 is currently targeted for inclusion in Service Level (Fix Pack) 7.0.0.13 of WebSphere Application Server V7.0. Please refer to URL: //www.ibm.com/support/docview.wss?rs=404&uid=swg27006970 for Fix Pack availability.
Temporary fix
Comments
APAR Information
APAR number
PM11953
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-04-12
Closed date
2010-07-07
Last modified date
2010-11-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500
Applicable component levels
R700 PSY UK61114
UP10/10/21 P F010
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
10 February 2022