Download
Abstract
JAX-RPC WS-Security runtime cannot properly generate or consume signed security tokens that are signed with STR-Transform
Download Description
PM12971 resolves the following problem:
ERROR DESCRIPTION:
The JAX-RPC WS-Security runtime cannot properly generate or consume signed security tokens that are signed with STR-Transform.
The STR-Transform process must be used in order to sign custom security tokens that do not contain the wsu:Id attribute.
LOCAL FIX:
No work around noted at this time.
PROBLEM SUMMARY:
USERS AFFECTED:
IBM WebSphere Application Server V6.1 and V7.0 users of WS-Security enabled JAX-RPC
web services applications and digital signature
PROBLEM DESCRIPTION:
JAX-RPC WS-Security runtime cannot properly generate or consume signed
security tokens that are signed with STR-Transform
RECOMMENDATION:
Install a fix pack that includes this APAR.
The JAX-RPC WS-Security 1.0 runtime cannot properly generate or consume a security token that is referenced with a SecurityTokenReference that is signed with the STR Dereference Transform reference option.
The STR-Transform Transform algorithm will be specified in the Reference in the Signature element when the STR Dereference Transform reference option is being used. The Reference
element will point to the SecurityTokenReference for the security token that is to be signed.
The STR-Transform process must be used in order to sign custom security tokens that do not contain the wsu:Id attribute, or any security token that does not appear in the message.
When the JAX-RPC runtime is configured to sign a security token using STR-Transform, the runtime will add a wsu:Id attribute directly to the security token and not add the required sse:SecurityTokenReference element. This is not acceptable for tokens that do not allow the wsu:Id attribute, such as SAML tokens.
When the JAX-RPC runtime receives a wsse:SecurityTokenReference element that is outside of the
Signature element in the SOAP security header, which is required for a security token that is signed with STR-Transform, an error like the following will occur:
WSEC5503E: Unknown element wsse:SecurityTokenReference in the
wsse:Security element.
The STR-Transform transform algorithm is:
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-mes
sage-security-1.0#STR-Transform
The wsse:SecurityTokenReference element is:
{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur
ity-secext-1.0.xsd}SecurityTokenReference
The wsu:Id attribute is:
{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur
ity-utility-1.0.xsd}Id
PROBLEM CONCLUSION:
The JAX-RPC WS-Security 1.0 runtime is updated to properly generate and consume security tokens that are signed using STR-Transform in the following conditions:
* The security token can be referenced by a Reference element within a wsse:SecurityTokenReference element
-or-
* The token is a SAML 1.1 or SAML 2.0 Assertion that can be referenced by a KeyIdentifier element in the wsse:SecurityTokenReference element.
Any token that must be referred to with a KeyIdentifier that is not a SAML 1.1 or 2.0 Assertion is not supported. This includes tokens that do not appear in the message.
For the purposes of this APAR, the UsernameToken, X.509, and LTPA tokens were those tested for
wsse:SecurityTokenReference/Reference.
The SAML 1.1 Assertion is:
{urn:oasis:names:tc:SAML:1.0:assertion}Assertion
The SAML 2.0 Assertion is:
{urn:oasis:names:tc:SAML:2.0:assertion}Assertion
This APAR only applies to the JAX-RPC WS-Security 1.0 runtime. The JAX-RPC Draft 13 runtime was not updated.
The fix for this APAR is currently targeted for inclusion in fix packs 6.1.0.37 and 7.0.0.17. Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?uid=swg27004980
6.1.0.19-WS-WAS-IFPM12971.pak will apply to fix pack levels 6.1.0.19 through 6.1.0.35.
Prerequisites
Download the UpdateInstaller below to install this fix.
Installation Instructions
Review the readme.txt for detailed installation instructions.
Technical Support
Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/support/entry/portal/Overview/Software/WebSphere/WebSphere_Application_Server), or contact 1-800-IBM-SERV (U.S. only).
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg24028734