IBM Support

PI49893: Allow certificate validation to be disabled

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Certificate validation based upon strict security from RFC5280
    may indicate errors that were previously unnoticed.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server web        *
    *                  server plugin users                         *
    ****************************************************************
    * PROBLEM DESCRIPTION: After APAR PI39126 (8.5.5.7,            *
    *                      8.0.0.12, 9.0.0.0), the WAS WebServer   *
    *                      Plugin uses modern defaults for         *
    *                      SSL/TLS processing. This includes       *
    *                      disabling legacy protocols, ciphers,    *
    *                      and certificate validation. This may    *
    *                      cause problems if WAS has been          *
    *                      explicitly configured to use only       *
    *                      weak/export ciphers, or has been        *
    *                      configured with a certificate chain     *
    *                      that does not meet contemporary         *
    *                      standards.                              *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Errors with certificates may be indicated which previously
    were not indicated. This is because strict security based upon
    RFC 5280 is now enforced by default.
    

Problem conclusion

  • Problems seen fall into the following certificate processing
    related categories (See RFC5280 for complete details):
    
    BasicConstraints extension: All certificates used to validate
    digital signatures (AKA issuers, signers, or CA's) must
    contain a BasicConstraints extension with the "criticality"
    field set to TRUE.
    
    CertificatePolicies extension: The CertificatePolicies
    extension must be RFC5280 conformant across the certificate
    chain. The algorithm is quite complex, but in a simplifed form
    an intermediate signer cannot assert policies not also
    asserted by its own signer.
    
    The certificate validation changes introduced in PI39126 can be
    disabled, by setting the WAS Plugin custom property
    "certificate_validation_strict_rfc5280=false" on the Plugin
    Custom Properties panel.
    
    The fix for this APAR is included in fix pack 8.0.0.12 and
    8.5.5.8.  Please refer to the Recommended Updates page for
    delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    
    The custom property can be set during plugin configuration
    generation in 8.5.5.8, 8.0.0.12 or 7.0.0.41 but the version 7
    plugin runtime will not recognize the property (this is added
    to v7 to allow v8 or v855 configurations to be generated).
    
    WebSphere is required to be at the specified level for the
    custom property to be placed in the generated plugin-cfg.xml
    file. The plugin module residing on the web server MUST be at
    the specified level for the custom property to have the
    desired effect.
    
    The property can manually be added to the configuration
    post-generation to avoid upgrading WebSphere. If the property
    is manually added to the plugin configuration file, it must be
    placed within the "Config" tag. For example:
    <Config ... certificate_validation_strict_rfc5280="false" ... >
    (... represents other properties which may be present within
    the Config tag)
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI49893

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-10-05

  • Closed date

    2015-10-19

  • Last modified date

    2017-08-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 8.0

Reference #: PI49893

Modified date: 30 August 2017