Troubleshooting
Problem
WS-Security general bindings should be available to make it easier to avoid using the vulnerable SHA1 signature algorithms that are specification-required by the algorithm suites in the WS-Security policies.
Resolving The Problem
A new set of client and provider sample general bindings will be added to the application server with APAR PI58160 in fixpacks 7.0.0.43, 8.0.0.13, and 8.5.5.10:
- Provider sample SHA256
This binding is the same as the standard provider sample binding, except 1) it adds the SignatureAlgorithm custom property for the SHA256 signature algorithms to all the symmetric and assymetric sign parts and 2) it contains the SAML Bearer token consumers. You should modify this binding to meet your security requirements before using it in a production environment.
- Client sample SHA256
This binding is the same as the standard client sample binding, except 1) to all the symmetric and assymetric sign parts, it adds the SignatureAlgorithm custom property for the SHA256 signature algorithms and 2) it contains the SAML Bearer token generators. You should modify this binding to meet your security requirements before using it in a production environment.
These new sample bindings will be available to new profiles created after a fixpack containing APAR PI58160 is installed.
Since these bindings use functionality that was added to WebSphere with APAR PM62842, these bindings are only applicable to fixpacks 7.0.0.25 and later, 8.0.0.4 and later, 8.5.0.1 and later and 8.5.5.0 and later. The bindings can be imported into profiles on application servers that are outside of these ranges. However, when either of the bindings is attached to a service in an out-of-range fixpack, a SHA1 signature algorithm will be applied to the signature in the SOAP Security header instead of a SHA256 algorithm.
This document provides a copy of each of the new sample bindings that you can import into existing profiles on your application server. To import the bindings into an application server profile, perform the following steps:
- Download the
Provider sample SHA256.zipandClient sample SHA256.zipfiles attached to this document - Ensure that the files are placed in a directory that is accessible to the browser on which you will run the administrative console.
- In the administrative console, navigate to Services > Policy sets
- Import the new provider general binding
- Click General provider policy set bindings > Import
- Click Browse
- Enter the fully-qualified path to the
Provider sample SHA256.zipfile that you downloaded from this document. - Click Open, then OK
- Import the new client general binding
- Click General client policy set bindings > Import
- Click Browse
- Enter the fully-qualified path to the
Client sample SHA256.zipfile that you downloaded from this document. - Click Open, then OK
- Click Save
New WS-Security sample general bindings with SHA256:
[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Services Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"},{"code":"PF013","label":"Inspur K-UX"}],"Version":"8.5;8.0;7.0","Edition":"Advanced;Base;Enterprise;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21978836