Fixes are available
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
APAR status
Closed as program error.
Error description
JAX-WS WS-Security needs to be updated to support the SHA384 and SHA512 digest algorithms.
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * WS-Security enabled JAX-WS web services * **************************************************************** * PROBLEM DESCRIPTION: JAX-WS WS-Security cannot process * * sha384 or sha512 digests * **************************************************************** * RECOMMENDATION: Install an fix pack that contains this * * APAR. * **************************************************************** The JAX-WS WS-Security runtime uses the digest algorithms that correspond to the algorithm suites that are configurable in the WS-Security policy. There are 16 algorithm suites available to use: https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com. ibm.websphere.nd.multiplatform.doc/ae/uwbs_wsspsal.html. Each of the suites use either the sha1 or sha256 digest algorithm. It is not possible to configure an application to emit or consume a digest with the sha384 or sha512 algorithm. Since there are use cases that require either the sha384 or sha512 digest algorithm, a method should be added to configure the digest algorithm.
Problem conclusion
The JAX-WS WS-Security runtime is updated so that the Digest algorithm can be customized in the bindings to be different than what is set by the algorithm suite in the WS-Security policy. The following WS-Security custom property is added: com.ibm.ws.wssecurity.dsig.DigestAlgorithm The following values are available: sha1 for http://www.w3.org/2000/09/xmldsig#sha1 sha256 for http://www.w3.org/2001/04/xmlenc#sha256 sha384 for http://www.w3.org/2001/04/xmlenc#sha384 sha512 for http://www.w3.org/2001/04/xmlenc#sha512 You can configure the com.ibm.ws.wssecurity.dsig.DigestAlgorithm custom property from either the outbound signing information or inbound signing information. To configure com.ibm.ws.wssecurity.dsig.DigestAlgorithm, complete the following steps in the admin console: * Click Services > Service clients or Service providers * Click the service_name > binding_name * Click WS-Security > Authentication and protection * Under either Request message signature and encryption protection or Response message signature and encryption protection, click the signature_message_part_reference. * Add or update the com.ibm.ws.wssecurity.dsig.DigestAlgorithm custom property with one of the values shown above. * Click OK * Save You can specify either the short name of the digest algorithm, such as sha512, or the full name, such as http://www.w3.org/2001/04/xmlenc#sha512. However, if you use a full name, it still must be one of the four supported algorithms listed above. The com.ibm.ws.wssecurity.dsig.SignatureAlgorithm custom property is also updated so that it can also take the full name of its supported algorithms. The fix for this APAR is currently targeted for inclusion in fix pack 8.5.5.15 and 9.0.0.9. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PI95884
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-03-28
Closed date
2018-06-08
Last modified date
2018-06-08
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
Document Information
Modified date:
02 November 2021