Fixes are available
8.0.0.4: WebSphere Application Server V8.0 Fix Pack 4
7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
8.5.0.1: WebSphere Application Server V8.5 Fix Pack 1
8.0.0.5: WebSphere Application Server V8.0 Fix Pack 5
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
8.5.0.2: WebSphere Application Server V8.5 Fix Pack 2
8.0.0.6: WebSphere Application Server V8.0 Fix Pack 6
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
8.0.0.7: WebSphere Application Server V8.0 Fix Pack 7
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
APAR status
Closed as new function.
Error description
Web Services security runtime supports only SHA-1 signature algorithms such as RSA-SHA1 and HMAC-SHA1. New recommendations from NIST (Special Publication 800-131A) indicate that SHA1 has weaknesses and implementations shall move to SHA-2 for digital signatures.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server who uses web services security to * * secure messages. * **************************************************************** * PROBLEM DESCRIPTION: Web Services security runtime does not * * have support to use SHA-2 digital * * signature algorithms to produce * * digital signatures. * **************************************************************** * RECOMMENDATION: Install fixpacks that have this APAR. * **************************************************************** Web Services security runtime only supports SHA-1 signature algorithms (such as RSA-SHA1 and HMAC-SHA1) to produce digital signatures. New recommendation from NIST indicate that SHA-1 has weakness and implementations shall move to SHA-2 for digital signatures.
Problem conclusion
The Web Services security runtime is updated to support the following SHA-2 signature algorithms to produce digital signatures while securing web services request or response messages. http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 http://www.w3.org/2001/04/xmldsig-more#hmac-sha256 http://www.w3.org/2001/04/xmldsig-more#hmac-sha384 http://www.w3.org/2001/04/xmldsig-more#hmac-sha512 To use one of these signature algorithms, set the following custom property in the signing information section of request or response to enable the desired SHA-2 signature algorithms. Ensure that same value is used for both the client and provider when configuring this custom property. com.ibm.ws.wssecurity.dsig.SignatureAlgorithm The com.ibm.ws.wssecurity.dsig.SignatureAlgorithm custom property specifies the SHA-2 signature algorithms for XML digital signatures. By default, WebSphere ??Application Server uses SHA1withRSA or HMACSHA1 to generate digital signatures. The com.ibm.ws.wssecurity.dsig.SignatureAlgorithm custom property can be set to the following values: rsa-sha256 for http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 rsa-sha384 for http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 rsa-sha512 for http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 hmac-sha256 for http://www.w3.org/2001/04/xmldsig-more#hmac-sha256 hmac-sha384 for http://www.w3.org/2001/04/xmldsig-more#hmac-sha384 hmac-sha512 for http://www.w3.org/2001/04/xmldsig-more#hmac-sha512 You can configure the com.ibm.ws.wssecurity.dsig.SignatureAlgorithm custom property from either the outbound signing information or inbound signing information. To configure com.ibm.ws.wssecurity.dsig.SignatureAlgorithm, complete the following steps in the admin console: * Click Services > Service clients or Service providers. * Click the service_name > binding_name. * Under WS-Security. > Authentication and protection * Under either Request message signature and encryption protection or Response message signature and encryption protection, click the signature_message_part_reference. * Add or update the com.ibm.ws.wssecurity.dsig.SignatureAlgorithm custom property with one of the values shown above. * Click OK * Save If you want to use a SHA-2 signature algorithm with a self-issued SAML token, see APAR PI33760: http://www-01.ibm.com/support/docview.wss?uid=swg1PI33760 Client and provider sample bindings that include the settings for the SHA256 signature algorithms on the symmetric and asymmetric sign parts are provided with this technote: http://www-01.ibm.com/support/docview.wss?uid=swg21978836 The fix for this APAR is currently targeted for inclusion in fix pack 7.0.0.25 and 8.0.0.4 and 8.5.0.1. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PM62842
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2012-04-19
Closed date
2012-07-11
Last modified date
2016-03-22
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
R700 PSY
UP
R800 PSY
UP
R850 PSY
UP
Document Information
Modified date:
28 October 2021