PI49893: Allow certificate validation to be disabled

8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21

APAR status

• Closed as program error.

Error description

• Certificate validation based upon strict security from RFC5280
  may indicate errors that were previously unnoticed.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED:  IBM WebSphere Application Server web        *
  *                  server plugin users                         *
  ****************************************************************
  * PROBLEM DESCRIPTION: After APAR PI39126 (8.5.5.7,            *
  *                      8.0.0.12, 9.0.0.0), the WAS WebServer   *
  *                      Plugin uses modern defaults for         *
  *                      SSL/TLS processing. This includes       *
  *                      disabling legacy protocols, ciphers,    *
  *                      and certificate validation. This may    *
  *                      cause problems if WAS has been          *
  *                      explicitly configured to use only       *
  *                      weak/export ciphers, or has been        *
  *                      configured with a certificate chain     *
  *                      that does not meet contemporary         *
  *                      standards.                              *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  Errors with certificates may be indicated which previously
  were not indicated. This is because strict security based upon
  RFC 5280 is now enforced by default.
  

Problem conclusion

• Problems seen fall into the following certificate processing
  related categories (See RFC5280 for complete details):
  
  BasicConstraints extension: All certificates used to validate
  digital signatures (AKA issuers, signers, or CA's) must
  contain a BasicConstraints extension with the "criticality"
  field set to TRUE.
  
  CertificatePolicies extension: The CertificatePolicies
  extension must be RFC5280 conformant across the certificate
  chain. The algorithm is quite complex, but in a simplifed form
  an intermediate signer cannot assert policies not also
  asserted by its own signer.
  
  The certificate validation changes introduced in PI39126 can be
  disabled, by setting the WAS Plugin custom property
  "certificate_validation_strict_rfc5280=false" on the Plugin
  Custom Properties panel.
  
  The fix for this APAR is included in fix pack 8.0.0.12 and
  8.5.5.8.  Please refer to the Recommended Updates page for
  delivery information:
  http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
  
  The custom property can be set during plugin configuration
  generation in 8.5.5.8, 8.0.0.12 or 7.0.0.41 but the version 7
  plugin runtime will not recognize the property (this is added
  to v7 to allow v8 or v855 configurations to be generated).
  
  WebSphere is required to be at the specified level for the
  custom property to be placed in the generated plugin-cfg.xml
  file. The plugin module residing on the web server MUST be at
  the specified level for the custom property to have the
  desired effect.
  
  The property can manually be added to the configuration
  post-generation to avoid upgrading WebSphere. If the property
  is manually added to the plugin configuration file, it must be
  placed within the "Config" tag. For example:
  <Config ... certificate_validation_strict_rfc5280="false" ... >
  (... represents other properties which may be present within
  the Config tag)
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  WEBSPHERE APP S

• Fixed component ID

  5724J0800

Applicable component levels

• R800 PSY

     UP

• R850 PSY

     UP