News
Abstract
Beginning with PH58798, WebSphere traditional performs hostname verification on SSL certificates.
Content
Fix
Once an interim fix or fix pack (e.g. 8.5.5.27, 9.0.5.21) containing PH58798 is applied, the WebSphere runtime automatically performs additional verification checks on certificates.
When WebSphere acts as a client (making outbound calls), the runtime now checks to make sure that the hostname value from the server certificate's Subject Alternative Name (SAN) or Common Name (CN) matches the hostname value used when establishing the connection.
Possible Side Effects
The changes introduced by PH58798 affect all outbound connections. With PH58798 applied any outbound connection could potentially fail, if the host targeted by the outbound connection does not present a certificate with a SAN value or CN value that matches its hostname. Potential areas of impact include intra-cell communication, outbound calls from a WebSphere server to another middleware server such as a Database, or outbound calls from a web application running in a WebSphere server to another host.
If the certificate does not contain the exact hostname, or the certificate is used for multiple hosts, the following sample RACF commands are provided to assist with regenerating the certificate containing a Subject Alternative Name (SAN) to include additional hostnames or an IP address.
Generating the personal certificate with the hostname as the common name.
RACDCERT ID(CONTRLID) GENCERT SUBJECTSDN(CN('HOST.NAME') O('IBM') OU('BBOCELL')) WITHLABEL('DefaultWASCert.BBOCELL') SIGNWITH(CERTAUTH LABEL('WebSphereCA')) SIZE(2048) NOTAFTER(DATE(2030/12/30))
Generating the personal certificate with an additional hostname NEW.HOST.NAME to the subject alternative name
RACDCERT ID(CONTRLID) GENCERT SUBJECTSDN(CN('HOST.NAME') O('IBM') OU('BBOCELL')) WITHLABEL('DefaultWASCert.BBOCELL') ALTNAME(DOMAIN('NEW.HOST.NAME'))
SIGNWITH(CERTAUTH LABEL('WebSphereCA')) SIZE(2048) NOTAFTER(DATE(2030/12/30))
SIGNWITH(CERTAUTH LABEL('WebSphereCA')) SIZE(2048) NOTAFTER(DATE(2030/12/30))
Generating the personal certificate with an IP address 1.2.3.4 to the subject alternative name
RACDCERT ID(CONTRLID) GENCERT SUBJECTSDN(CN('HOST.NAME') O('IBM') OU('BBOCELL')) WITHLABEL('DefaultWASCert.BBOCELL') ALTNAME(IP(1.2.3.4))
SIGNWITH(CERTAUTH LABEL('WebSphereCA')) SIZE(2048) NOTAFTER(DATE(2030/12/30))
SIGNWITH(CERTAUTH LABEL('WebSphereCA')) SIZE(2048) NOTAFTER(DATE(2030/12/30))
Generating the personal certificate with a subject alternative using an "*" for the subdomain.
RACDCERT ID(CONTRLID) GENCERT SUBJECTSDN(CN('HOST.NAME') O('IBM') OU('BBOCELL')) WITHLABEL('DefaultWASCert.BBOCELL') ALTNAME(DOMAIN('*.HOST.NAME'))
SIGNWITH(CERTAUTH LABEL('WebSphereCA')) SIZE(2048) NOTAFTER(DATE(2030/12/30))
SIGNWITH(CERTAUTH LABEL('WebSphereCA')) SIZE(2048) NOTAFTER(DATE(2030/12/30))
Once the new certificate is generated, the old certificate can be removed from the keyring, and the new one can be added to the keyring. This should be done for the Daemon, DeploymentManager, Node Agent, and Application Server control regions.
New Properties
A new collection of properties can be used to configure or disable the hostname verification behavior. These properties can be configured as Global Security Custom Properties, which apply to the entire cell. The properties can be configured for clients (for example wsadmin and other scripting tools) in the ssl.client.props file.
Note that for Network Deployment environments, the syncNode script must be used to synchronize each node after the property is applied to the Deployment Manager.
| Property Name | Values (defaults in bold) | Description |
| com.ibm.ssl.verifyHostname |
true
false
|
Setting to false disables all hostname verification behavior introduced by this APAR. |
| com.ibm.ssl.skipHostnameVerificationForHosts | Comma-separated list | A comma-separated list of either hostnames or IP values that will be accepted if present in the target server's certificate. |
[{"Type":"MASTER","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"ARM Category":[{"code":"a8m50000000CcyMAAS","label":"WebSphere Application Server traditional-All Platforms-\u003ESecurity-\u003ESSL"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
14 August 2024
UID
ibm17165413