Download
Downloadable File
| File link | File size | File description |
|---|---|---|
Abstract
The WS-Security sample keys and certificates that are shipped with WebSphere Application Server v855 and v9 expired on 8/7/2023 and 8/8/2023.
Download Description
PH56482 resolves the following problem:
ERROR DESCRIPTION:
The WS-Security sample keys and certificates that are shipped with WebSphere Application Server v855 and v9 expired on 8/7/2023 and 8/8/2023.
The following WS-Security sample keystore and certificate files are affected:
ERROR DESCRIPTION:
The WS-Security sample keys and certificates that are shipped with WebSphere Application Server v855 and v9 expired on 8/7/2023 and 8/8/2023.
The following WS-Security sample keystore and certificate files are affected:
| dsig-sender.ks dsig-receiver.ks enc-sender.ks enc-receiver.ks intca2.cer |
An error like the following is logged when one of the expired keys or certificates is used:
CWWSS6521E: The Login failed because of an exception:
javax.security.auth.login.LoginException: com.ibm.wsspi.wssecurity.core.SoapSecurityException:
CWWSS5181E: The following certificate, which is owned by CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP with the soaprequester alias from the
c:\was90517\WebSphere\AppServer\profiles\AppSrv01/etc/ws-security/samples/dsig-sender.ks keystore, has expired:
java.security.cert.CertificateExpiredException: NotAfter: Tue Aug 08 12:46:30 CDT 2023 ocurred while running action:
com.ibm.ws.wssecurity.handler.WSSecurityGeneratorHandler$2@10737d36
The signing certificates and encryption keys that are replaced by this interim fix are used in the JAX-WS and JAX-RPC Web Services Default Bindings for Web Services Security. They are provided for testing and example purposes only and should not be used on production systems.
If you are using the WS-Security sample keys or certificates in production, your services are at risk. See https://www.ibm.com/support/pages/node/7025379 for instructions for remediation.
LOCAL FIX:
See https://www.ibm.com/support/pages/node/7025379
PROBLEM SUMMARY
USERS AFFECTED:
All users of IBM WebSphere Application Server
RECOMMENDATION:
If you are using the keys and certificates in production, follow the instructions on https://www.ibm.com/support/pages/node/7025379. Otherwise, install a fix pack or interim fix that contains this APAR.
PROBLEM CONCLUSION:
The WS-Security sample keystores are replaced with new keystores with the same name. The new keystores have new keys and certificates that expire in 2080.
When this interim fix is installed installed, the keystores are updated in the following directory:
| (WAS_HOME)/etc/ws-security/samples |
The following files are replaced:
|
dsig-receiver.ks
dsig-sender.ks
enc-receiver.jceks
end-sender.jceks
intca2.cer
|
Since the keystores that are located in existing profiles might be updated after creation, the keystores in existing profiles are not replaced. To replace the keystores in a profile, you must copy the keystores from the (WAS_HOME)/etc/ws-security/samples directory to the following directory:
| (PROFILE_ROOT)/etc/ws-security/samples |
This interim fix does not replace the key store files in the profileTemplates directory. Therefore, when new profiles are created, the new keystores are not used. If you want new profiles to use the new key stores, you must copy the keystores from the (WAS_HOME)/etc/ws-security/samples directory to the following directory:
| (WAS_HOME)/profileTemplates/default/documents/etc/ws-security/samples |
The fix for this APAR is targeted for inclusion in fix packs 8.5.5.25 and 9.0.5.18. For more information, see Recommended Updates for WebSphere Application Server: https://www.ibm.com/support/pages/node/715553
The signing certificates and encryption keys that are replaced by this interim fix are used in the JAX-WS and JAX-RPC Web Services Default Bindings for Web Services Security. They are provided for testing and example purposes only and should not be used on production systems.
If you are using the WS-Security sample keys or certificates in production, your services are at risk. See https://www.ibm.com/support/pages/node/7025379 for instructions for remediation.
Prerequisites
None
Download Package
|
IMPORTANT NOTE:
|
WebSphere Application Server and Liberty fix access requires S&S Entitlement beginning in 2021. Use properly registered IDs to download the fixes in this table.
Signature file is provided along with interim fix. See Verifying WebSphere Application Server release packages and Verifying Liberty release packages. |
| DOWNLOAD | RELEASE DATE | SIZE(Bytes) |
URL |
|---|---|---|---|
| 9.0.0.0-WS-WASProd-IFPH56482 | 09 November 2023 | 266659 | FC |
| 8.5.5.13-WS-WASProd-IFPH56482 | 09 November 2023 | 244304 | FC |
Note: FC stands for Fix Central. Review the What is Fix Central (FC)? FAQs for more details.
Problems Solved
PH56482
On
Technical Support
Contact IBM Support at https://www.ibm.com/mysupport/ or 1-800-IBM-SERV (US only).
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5.13;8.5.5.14;8.5.5.15;8.5.5.16;8.5.5.17;8.5.5.18;8.5.5.19;8.5.5.20;8.5.5.21;8.5.5.22;8.5.5.23;8.5.5.24;9.0.0.0;9.0.0.1;9.0.0.10;9.0.0.11;9.0.0.2;9.0.0.3;9.0.0.4;9.0.0.5;9.0.0.6;9.0.0.7;9.0.0.8;9.0.0.9;9.0.5.0;9.0.5.1;9.0.5.10;9.0.5.11;9.0.5.12;9.0.5.13;9.0.5.14;9.0.5.15;9.0.5.16;9.0.5.17;9.0.5.2;9.0.5.3;9.0.5.4;9.0.5.5;9.0.5.6;9.0.5.7;9.0.5.8;9.0.5.9","Edition":"Base","Line of Business":{"code":"LOB45","label":"Automation"}}]
Problems (APARS) fixed
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
08 December 2023
UID
ibm17074520