Fixes are available
9.0.0.3: WebSphere Application Server traditional V9.0 Fix Pack 3
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
9.0.0.4: WebSphere Application Server traditional V9.0 Fix Pack 4
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
9.0.0.5: WebSphere Application Server traditional V9.0 Fix Pack 5
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
WebSphere Application Server traditional 9.0.5.6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
9.0.5.9: WebSphere Application Server traditional Version 9.0.5.9
9.0.5.10: WebSphere Application Server traditional Version 9.0.5.10
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
9.0.5.11: WebSphere Application Server traditional Version 9.0.5.11
APAR status
Closed as program error.
Error description
You can get the CWWSS7542E error message in Web Services Security SAML when the DN of the signer certificate that signed the SAML assertion does not match sso_<id>.idp_<id>.allowedIssuerDN. CWWSS7542E: The [{0}] SAML issuer name or signer SubjectDN of the certificate are not trusted. This message implies that the Issuer element in the SAML Assertion is incorrect, not that the signer certificate is incorrect.
Local fix
Add the subjectDN of the certificate as a trustedSubjectDN.
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * WS-Security enabled web services * * applications and SAML * **************************************************************** * PROBLEM DESCRIPTION: More diagnostics are required when * * trustedIssuer and/or trustedSubjectDN * * validation fails in WS-Security * * SAML * **************************************************************** * RECOMMENDATION: Install a fix pack that contains this * * APAR. * **************************************************************** In WS-Security SAML, when the trustedIssuer and/or trustedSubjectDN validation fails, the error message that is emitted does not give enough information required to resolve the issue. 1) The SubjectDN name isn't in the error message. 2) The error message doesn't say if Issuer validation, SubjectDN validation, or Issuer/SubjectDN validation failed.
Problem conclusion
The error handling in the trustedIssuer and trustedSubjectDN processing in the WS-Security SAML code is updated to produce messages that are more useful. ========================================== The CWWSS7542E message is updated to add an insert fo the name of the SubjectDN: CWWSS7542E: The [{0}] SAML issuer name or [{1}] signer SubjectDN of the certificate are not trusted. ========================================== The following messages are added: CWWSS8044E: The allowed issuer validation failed for the [{0}] SAML issuer name and the [{1}] Subject DN of the signer certificate. The SAML issuer and Subject DN are part of a pair so both must be trusted. CWWSS8045E: The Subject DN [{0}] of the signer certificate in the SAML Assertion is not trusted. CWWSS8046E: The Issuer name [{0}] in the SAML Assertion is not trusted. CWWSS8047E: The signer certificate is not available. Either the SAML Assertion was not signed or it was not required to be signed. Ensure that the [{0}] custom property is set to true. ========================================== The following existing messages are also used: CWSML7003E: The [{0}] attribute on the Assertion element is missing or empty. CWSML7029E: An X.509 certificate was not obtained from the KeyInfo element in the Security Assertion Markup Language (SAML) assertion, so trust cannot be evaluated. Either use a KeyInfo method that yields a usable X.509 certificate or turn off trust validation. The supported methods are [{0}]. ========================================== Instead of just CWWSS7542E, the main error message that you will see in SystemOut.log or a trace for the trustedIssuer/trustesSubjectDN validation errors will be CWWSS7542E, CWWSS8044E, CWWSS8045E or CWWSS8046E. The message is attached to an exception. The exception may have a cause attached to it that you can see in the call stack (either in an SystemOut.log, FFDC or trace) For instance, consider the following scenarios: ========================================== trustdIssuer_1=com.ibm.whatever (Receive a SAML with Issuer=com.ibm.abc) CWWSS8046E: The Issuer name [com.ibm.abc] in the SAML Assertion is not trusted. ========================================== trustedSubjectDN_1=N=whatever, OU=AIM, O=IBM, ST=TX, C=US (Receive a SAML signed by N=myx509cert, OU=AIM, O=IBM, ST=TX, C=US) CWWSS8045E: The Subject DN [N=myx509cert, OU=AIM, O=IBM, ST=TX, C=US] of the signer certificate in the SAML Assertion is not trusted. ========================================== trustdIssuer_1=com.ibm.whatever (Receive a SAML with no Issuer) CWWSS8046E: The Issuer name [] in the SAML Assertion is not trusted. caused by CWSML7003E: The [Issuer] attribute on the Assertion element is missing or empty. ========================================== trustdIssuer_1=com.ibm.whatever trustedSubjectDN_2=N=whatever, OU=AIM, O=IBM, ST=TX, C=US (Receive a SAML with no Issuer and not signed): CWWSS7542E: The [] SAML issuer name or [] signer SubjectDN of the certificate are not trusted. caused by CWSML7003E: The [Issuer] attribute on the Assertion element is missing or empty. CWWSS8047E: The signer certificate is not available. Either the SAML Assertion was not signed or it was not required to be signed. Ensure that the [signatureRequired] custom property is set to true. ========================================== trustedSubjectDN_1=N=myx509cert, OU=AIM, O=IBM, ST=TX, C=US trustdIssuer_2=com.ibm.whatever trustedSubjectDN_2=N=whatever, OU=AIM, O=IBM, ST=TX, C=US (Receive a SAML with Issuer=com.ibm.whatever, signed by N=myx509cert, OU=AIM, O=IBM, ST=TX, C=US) CWWSS8044E: The allowed issuer validation failed for the [com.ibm.whatever] SAML issuer name and the [N=myx509cert, OU=AIM, O=IBM, ST=TX, C=US] Subject DN of the signer certificate. The SAML issuer and Subject DN are part of a pair so both must be trusted. caused by CWWSS8045E: The Subject DN [N=myx509cert, OU=AIM, O=IBM, ST=TX, C=US] of the signer certificate in the SAML Assertion is not trusted. Notice that, although "N=myx509cert, OU=AIM, O=IBM, ST=TX, C=US" is trusted, the Issuer "com.ibm.whatever" is part of a trusted pair. This means that when the Issuer is "com.ibm.whatever", the SubjectDN must be "whatever, OU=AIM, O=IBM, ST=TX, C=US". ========================================== Following are the explanation and action for CWWSS8044E: Explanation: The Issuer name and the Subject DN shown in the message are part of a trusted pair in the SAML token consumer configuration. A trusted pair is [trustedIssuer_n] and [trustedSubjectDN_n] where n is the same number. Either the Issuer name in the token is part of a pair and the Subject DN of the signer certificate doesn't match its pair or the other way around. The Issuer or Subject DN that is not trusted will be added as a cause to this message and will be visible in the FFDC logs. Action: Do one of the following: 1) Ensure that the SAML token contains the Issuer name shown in the message and is signed with a certificate that has the Subject DN shown in the message. 2) Change the [trustedIssuer_n] [trustedSubjectDN_n] pair in the SAML token consumer configuration to be the Issuer name and the Subject DN of the signer certificate of the SAML token. 3) Remove the pair association of [trustedIssuer_n] [trustedSubjectDN_n] in your SAML token consumer by changing the 'n' to different numbers for each custom property. The fix for this APAR is currently targeted for inclusion in fix pack 7.0.0.43, 8.0.0.14, 8.5.5.12, 9.0.0.3. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PI69720
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-09-26
Closed date
2016-12-13
Last modified date
2016-12-13
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R700 PSY
UP
R800 PSY
UP
R850 PSY
UP
R900 PSY
UP
Document Information
Modified date:
04 May 2022