PM12971; 6.1.0.35: jax-rpc ws-security str-transform processing is incorrect

Download

Abstract

JAX-RPC WS-Security runtime cannot properly generate or consume signed security tokens that are signed with STR-Transform

Download Description

PM12971 resolves the following problem:

ERROR DESCRIPTION:
The JAX-RPC WS-Security runtime cannot properly generate or consume signed security tokens that are signed with STR-Transform.

The STR-Transform process must be used in order to sign custom security tokens that do not contain the wsu:Id attribute.

LOCAL FIX:
No work around noted at this time.

PROBLEM SUMMARY:

USERS AFFECTED:
IBM WebSphere Application Server V6.1 and V7.0 users of WS-Security enabled JAX-RPC
web services applications and digital signature

PROBLEM DESCRIPTION:
JAX-RPC WS-Security runtime cannot properly generate or consume signed
security tokens that are signed with STR-Transform

RECOMMENDATION:
Install a fix pack that includes this APAR.

The JAX-RPC WS-Security 1.0 runtime cannot properly generate or consume a security token that is referenced with a SecurityTokenReference that is signed with the STR Dereference Transform reference option.

The STR-Transform Transform algorithm will be specified in the Reference in the Signature element when the STR Dereference Transform reference option is being used. The Reference
element will point to the SecurityTokenReference for the security token that is to be signed.

The STR-Transform process must be used in order to sign custom security tokens that do not contain the wsu:Id attribute, or any security token that does not appear in the message.

When the JAX-RPC runtime is configured to sign a security token using STR-Transform, the runtime will add a wsu:Id attribute directly to the security token and not add the required sse:SecurityTokenReference element. This is not acceptable for tokens that do not allow the wsu:Id attribute, such as SAML tokens.

When the JAX-RPC runtime receives a wsse:SecurityTokenReference element that is outside of the
Signature element in the SOAP security header, which is required for a security token that is signed with STR-Transform, an error like the following will occur:

WSEC5503E: Unknown element wsse:SecurityTokenReference in the
wsse:Security element.

The STR-Transform transform algorithm is:
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-mes sage-security-1.0#STR-Transform

The wsse:SecurityTokenReference element is:
{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur ity-secext-1.0.xsd}SecurityTokenReference

The wsu:Id attribute is:
{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur ity-utility-1.0.xsd}Id

PROBLEM CONCLUSION:
The JAX-RPC WS-Security 1.0 runtime is updated to properly generate and consume security tokens that are signed using STR-Transform in the following conditions:

* The security token can be referenced by a Reference element within a wsse:SecurityTokenReference element
-or-
* The token is a SAML 1.1 or SAML 2.0 Assertion that can be referenced by a KeyIdentifier element in the wsse:SecurityTokenReference element.

Any token that must be referred to with a KeyIdentifier that is not a SAML 1.1 or 2.0 Assertion is not supported. This includes tokens that do not appear in the message.

For the purposes of this APAR, the UsernameToken, X.509, and LTPA tokens were those tested for
wsse:SecurityTokenReference/Reference.

The SAML 1.1 Assertion is:
{urn:oasis:names:tc:SAML:1.0:assertion}Assertion

The SAML 2.0 Assertion is:
{urn:oasis:names:tc:SAML:2.0:assertion}Assertion

This APAR only applies to the JAX-RPC WS-Security 1.0 runtime. The JAX-RPC Draft 13 runtime was not updated.

The fix for this APAR is currently targeted for inclusion in fix packs 6.1.0.37 and 7.0.0.17. Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?uid=swg27004980

6.1.0.19-WS-WAS-IFPM12971.pak will apply to fix pack levels 6.1.0.19 through 6.1.0.35.

Prerequisites

Download the UpdateInstaller below to install this fix.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Review the readme.txt for detailed installation instructions.

[{"INLabel":"Readme","INLang":"US English","INSize":"11191","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM12971/readme.txt"}]

          [{"DNLabel":"6.1.0.19-WS-WAS-IFPM12971","DNDate":"12/9/2010","DNLang":"US English","DNSize":"169578","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.19-WS-WAS-IFPM12971&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM12971/6.1.0.19-WS-WAS-IFPM12971.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM12971/6.1.0.19-WS-WAS-IFPM12971.pak"}]
          

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/support/entry/portal/Overview/Software/WebSphere/WebSphere_Application_Server), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Services Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.1.0.19;6.1.0.21;6.1.0.23;6.1.0.25;6.1.0.27;6.1.0.29;6.1.0.31;6.1.0.33;6.1.0.35","Edition":"Base;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]

Problems (APARS) fixed
PK77138;PK85910;PM12971

Was this topic helpful?

Document Information

Modified date:
15 June 2018

UID

swg24028734

Tips