Download
Abstract
JAX-WS WS-Security does not allow a trust store to be reloaded during runtime
Download Description
PM12973 resolves the following problem:
ERROR DESCRIPTION:
JAX-WS WS-Security does not allow a trust store to be reloaded during runtime. If a trusted certificate is added to a trust store used by an X.509 token consumer after the application server is started, the trust validation will fail.
LOCAL FIX:
na
PROBLEM SUMMARY
USERS AFFECTED:
IBM WebSphere Application Server V7.0 users of WS-Security enabled JAX-WS applications
PROBLEM DESCRIPTION:
JAX-WS WS-Security does not allow a trust store to be reloaded during runtime
RECOMMENDATION:
Apply an ifix or fixpack that includes this APAR.
JAX-WS WS-Security does not allow a trust store to be reloaded during runtime. If a trusted certificate is added to a trust store used by an X.509 token consumer after the application server is started, the trust validation will fail.
Applications may require the ability to reload a trust store during runtime.
PROBLEM CONCLUSION:
The trust store is a keystore. JAX-WS WS-Security does not acknowledge the refresh of any keystores while the application server is running. For performance reasons, keystores are cached in memory when each application is started. The cache is shared among applications, so if a single application is stopped, its keystore(s) remain in the cache.
The WS-Security custom property is added:
com.ibm.wsspi.wssecurity.config.token.inbound.retryOnceAfterTrustFailure
If the com.ibm.wsspi.wssecurity.config.token.inbound.retryOnceAfterTrustFailure is set to true, when a trust validation occurs, the WS-Security runtime will reload its configured trust store and retry the trust validation one more time. If a failure occurs after the second attempt, the trust validation failure will be returned.
The trust store will be loaded and used for that single re-validation attempt only. The keystore object in the cache cannot be replaced for concurrency issues.
Valid values for this property are true and false. It defaults to false.
This property is set as a custom property on the Callback handler for an X.509, PKIPath, or PKCS#7 token consumer. The following path can be used to set the property in the administrative console:
(bindingName)->WS-Security->Authentication and
protection->(tokenName)->Callback handler
For an application using the WS-Security WSS API, the property can also be set on the Callback handler for the token consumers listed above.
The fix for this APAR is currently targeted for inclusion in
fix pack 7.0.0.13. Please refer to the Recommended Updates
page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Prerequisites
Please download the UpdateInstaller below to install this fix.
Installation Instructions
Please review the readme.txt for detailed installation instructions.
Technical Support
Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg24026802