IBM Support

WebSphere Application Server NullPointerException and startup errors when FIPS is enabled on Java 8.0.6.25 and later

Troubleshooting


Problem

It is highly recommended to update to Java 8.0.6.35 at a minimum. Under certain conditions this update is required in order for the steps in this document to take effect, due to APAR IJ32845.
For versions of IBM Java 8.0.6.25 and later, with FIPS enabled on WebSphere, the server is not accessible with SSL/TLS.

Cause

This issue is known to occur with the 8.0.6.25 or later JDKs.
To work around it in WebSphere, disable the RSAPSS and RSASSA-PSS algorithms by adding them to the list of com.ibm.websphere.tls.disabledAlgorithms for the server.

Diagnosing The Problem

WebSphere only checks to see whether FIPS is enabled at startup. The check is not done continuously, so if FIPS is enabled during runtime, in application code, it’s possible to see subsequent TLS exceptions and NullPointerExceptions. Review the thread stacks from the errors to determine if the server is attempting to use the RSAPSS or RSASSA-PSS algorithms
You can see NullPointerException errors reported in FFDC files, or directly in the SystemOut.log (the handshake failure may be recorded but it could be a generic failure event unlike this log):
[3/14/15 3:14:15:000 MST] FFDC Exception:java.lang.NullPointerException SourceId:com.ibm.ws.websvcs.transport.http.HTTPConnection.connect ProbeId:229 Reporter:com.ibm.ws.websvcs.transport.http.HTTPConnection@31415926
java.lang.NullPointerException
at com.ibm.crypto.fips.provider.RSAPSSSignature.b(Unknown Source)
at com.ibm.crypto.fips.provider.RSAPSSSignature.c(Unknown Source)
at com.ibm.crypto.fips.provider.RSAPSSSignature.engineSign(Unknown Source)
…
However the FFDC files may only appear once, but repeat events will be logged in the severname_exception.log ffdc file similar to this:
 Index  Count  Time of first Occurrence    Time of last Occurrence     Exception SourceId ProbeId
------+------+---------------------------+---------------------------+---------------------------
     0   9000    3/14/15 3:14:15:000 MST    3/14/15 6:28:00:000 MST java.lang.NullPointerException com.ibm.ws.ssl.channel.impl.SSLConnectionLink 238 /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/ffdc/server1_31415926_15.03.14_00.00.00.000000.txt

Follow the directions to apply RSAPSS, RSASSA-PSS entries to the disabledAlgorithms.

Resolving The Problem

Avoid Trouble: If you customized the com.ibm.websphere.tls.disabledAlgorithms property so that it is set with a value of "none", then instead of the following steps the only change needed is to append "RSAPSS, RSASSA-PSS" to the comma-separated list value of the jdk.tls.disabledAlgorithms property in the JAVA_HOME/jre/lib/security/java.security file.
  1. In standalone WebSphere Application Server environments, there's a good chance that the WebSphere Administrative Console is inaccessible when this issue occurs. To access the Administrative Console, first disable security by following the steps in this document.
  2. Next, obtain the current list of disabled algorithms in use from the logs.  By default, WebSphere Application Server maintains an up-to-date list of algorithms that are disabled due to known vulnerabilities. To determine the current value of this list, check the SystemOut.log from the server for the CWPKI0051I  message right after startup for a message like the following example:

    SSLConfigMana I   CWPKI0051I: The process has the java security property jdk.tls.disabledAlgorithms set to [SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, EC keySize < 224, 3DES_EDE_CBC, anon, NULL].  The WebSphere Application server is setting the java security property jdk.tls.disabledAlgorithms to [SSLv3, RC4, DH keySize < 768, MD5withRSA].

    Note: The list may be different depending on the WebSphere Application Server fixpack level, the contents of the java.security file, and the value of the com.ibm.websphere.tls.disabledAlgorithms property.
     
  3. Once you have the current value of the list from the CWPKI0051I message, navigate to the Security > Global Security > Custom Properties section of the WebSphere Administrative Console.
     
  4. If there is already a property defined with the name com.ibm.websphere.tls.disabledAlgorithms click it, and add RSAPSS, RSASSA-PSS to the comma-separated list in the value field.
    -- OR --
    If the property is not defined, then click New... and create a property named com.ibm.websphere.tls.disabledAlgorithms with a value equal to the comma-separated list from the CWPKI0051I message, with RSAPSS, RSASSA-PSS appended to the comma-separated list. For example, looking at the CWPKI0051I documented in step (1), the new comma-separated list would be
    SSLv3, RC4, DH keySize < 768, MD5withRSA, RSAPSS, RSASSA-PSS
  5. Click "OK" and save the changes.
    • If you disabled security, re-enable security from the Security > Global Security panel, then Click OK and Save again.
  6. Synchronize any nodes if you are running a Network Deployment environment, and then restart the environment for the changes to take effect.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000Cd8hAAC","label":"Security-\u003ESSL-\u003ESSL - Cipher"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
29 March 2023

UID

ibm16422887

Page Feedback