IBM Support

PI38151: THROW EXCEPTION IF RECEIVE UNSUPPORTED KEYINFO IN SAML

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Although the main wssecurity runtime supports many KeyInfo
    types in a signature, the SAML runtime only supports a subset.
    A usable exception should be thrown whan a KeyInfo is received
    that is not supported.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server            *
    *                  administrators of WS-Security enabled web   *
    *                  services applications and SAML              *
    ****************************************************************
    * PROBLEM DESCRIPTION: A usable error should be emitted when   *
    *                      a KeyInfo that is not valid is in a     *
    *                      SAML assertion                          *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    The SAML runtime processes SAML assertions for both
    WS-Security and SAML Web Single Sign-On (SSO).  When the SAML
    runtime encounters a KeyInfo in the assertion that it cannot
    process, a message similar to the following may be emitted.
    [7/29/15 14:18:23:629 CDT] 00000020 WebAuthentica E
    SECJ0126E: Trust Association failed during validation. The
    exception is
    com.ibm.websphere.security.WebTrustAssociationFailedException:
    com.ibm.wsspi.wssecurity.core.SoapSecurityException:
    security.wssecurity.WSEC7074E
    This error is not helpful for determining the cause of the
    failure.  More information is required.
    

Problem conclusion

  • The SAML runtime is updated to issue more useful errors when
    it cannot process a KeyInfo element.  The new messages will
    follow the CWSSS7074E message that is now properly evaluated
    from security.wssecurity.WSEC7074E.
    
    CWWSS7074E: The key is not retrieved. The exception is:
    com.ibm.wsspi.wssecurity.core.SoapSecurityException:
    
    CWSML7025E: The [{0}] sub-element of the KeyInfo element in
    the Security Assertion Markup Language (SAML) assertion is not
    supported.  The supported elements are [X509Data, KeyName,
    KeyValue].
    
    CWSML7026E: The [{0}] sub-element of the X509Data element in
    the Security Assertion Markup Language (SAML) assertion is not
    supported.  The supported elements are [X509Certificate,
    X509IssuerSerial, X509SubjectName, X509SKI].
    
    CWSML7027E: The SecurityTokenReference element in the KeyInfo
    element in the Security Assertion Markup Language (SAML)
    assertion contains a sub-element that is not supported: [{0}].
     The supported sub-elements are [X509Data, KeyName, KeyValue].
    
    CWSML7028E: The evaluated value for the KeyInfo element in the
    Security Assertion Markup Language (SAML) assertion does not
    match the key defined in the SAML the configuration: [{0}].
    
    CWSML7029E: An X.509 certificate was not obtained from the
    KeyInfo element in the Security Assertion Markup Language
    (SAML) assertion, so trust cannot be evaluated.  Either use a
    KeyInfo method that yields a usable X.509 certificate or turn
    off trust validation.  The supported methods are [X509Data,
    KeyName].
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 7.0.0.39, 8.0.0.12, and 8.5.5.8.  Please refer to
    the Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    
    Keywords: IBMWL3WSS, WSSEC, SAMLWSSO, SAMLWSSEC
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI38151

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-04-01

  • Closed date

    2015-08-17

  • Last modified date

    2015-09-24

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PI38151

Modified date: 24 September 2015