IBM Support

PI09785: EXPORTED WS-SECURITY POLICY BINDINGS WITH ENCRYPTED PASSWORDS MAY BE UNUSABLE

Fixes are available

8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.5.5.5: WebSphere Application Server V8.5.5 Fix Pack 5
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • A general policy binding is exported from an application
    server that has custom password encryption.  That general
    binding is then imported into another application server.
    When the binding is attached to and used by a JAX-WS
    application, an error similar to the following occurs:
    
    CWWSS7315E: Caught an exception attempting to create default
    configuration objects.  The following exception occurred:
    com.ibm.wsspi.wssecurity.core.  SoapSecurityException:
    CWWSS5003E: The
    /WebSphere/AppServer/profiles/etc/ws-security/samples/ key
    store cannot be read because an IOException error occurred.:
    java.io.IOException: Keystore was tampered with, or password
    was incorrect.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All administrators of IBM WebSphere         *
    *                  Application Server                          *
    ****************************************************************
    * PROBLEM DESCRIPTION: WS-Security policy bindings exported    *
    *                      with encrypted passwords cannot be      *
    *                      imported                                *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that includes this       *
    *                  APAR.                                       *
    ****************************************************************
    If the application server that is importing the binding either
    does not have custom password encryption enabled, or the
    password encryption algorighm, or decryption keys are
    different, the passwords in the imported WS-Security bindings
    will be unusable.  The only way to fix the issue is to find
    all the passwords in the binding and update them manually with
    the administrative console.
    

Problem conclusion

  • The admin task that exports the WS-Security bindings just
    exports the files as they appear on the disk.
    
    The admin task that exports the WS-Security bindings is
    updated to allow a WS-Security bindings.xml file with
    encrypted passwords be exported using XOR encoded passwords
    instead.  This will allow an application server that imports
    the bindings to read and use the passwords successfully.
    
    In order to be able to export encrypted passwords as encoded
    passwords, the following JVM system property must be set to
    true on the application server or wsadmin at startup:
    
    com.ibm.ws.policyset.exportEncodedPasswords=true
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 7.0.0.37, 8.0.0.10, and 8.5.5.5.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI09785

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-01-16

  • Closed date

    2014-10-09

  • Last modified date

    2014-10-09

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PI09785

Modified date: 09 October 2014