IBM Support

PI53397: OUTBOUND SSL WITH TWO-WAY SSL HANDSHAKE FAILS BECAUSE WEBSPHERE DOES NOT SEND CLIENT CERTIFICATE TO SSL SERVER

Fixes are available

7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
9.0.0.1: WebSphere Application Server traditional V9.0 Fix Pack 1
9.0.0.2: WebSphere Application Server traditional V9.0 Fix Pack 2
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
9.0.0.3: WebSphere Application Server traditional V9.0 Fix Pack 3
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
9.0.0.4: WebSphere Application Server traditional V9.0 Fix Pack 4
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
9.0.0.5: WebSphere Application Server traditional V9.0 Fix Pack 5
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • WebSphere Key Manager does not pick up all of certificate types
    from certificate request and fails to select client certificate
    alias from keystore. Two-way SSL handshake fails because client
    does not send client certificate as a response to a certificate
    request message.
    

Local fix

  • Specify client certificate alias name in SSL configuration.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server versions 6.1, 7.0, 8.0 and 8.5       *
    ****************************************************************
    * PROBLEM DESCRIPTION: Customer is running SSL Client          *
    *                      Authentication. This was working        *
    *                      until they changed supported cipher     *
    *                      specs on the server-side(target).       *
    *                      After that the client side(source),     *
    *                      WSAS, fails to send a client            *
    *                      certificate.                            *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Customer is running with SSL Client Authentication. In such a
    configuration, the client side(Source server) will need to
    send a certificate to the server side(Target server). The
    Target will then authenticate the Source servers certificate.
    This has been working well.
    The customer altered the acceptable cryptography cipher
    specifications on the Target server and now the Source server
    fails to send the client certificate.
    WebSphere Application Server security receives a preference
    list of certificate types the Source server will accept. The
    code fails to iterate through the entire list. It only selects
    the top preference. This resulted in available client
    certificates not being sent to the Target server.
    In this customers case, altering configured cipher
    specifications changed the ordering of the list. Now the first
    entry in the preference list was no longer a match for the
    customers client certificate.
    

Problem conclusion

  • A Security Custom Property has been added to allow all entries
    in the client certificate preference list to be considered.
    There are 2 different properties, one for 6.1 and one for 7.0
    and higher. To enable the properties:
    
    V6.1:
    com.ibm.websphere.crypto.config.useAllSSLClientAuthKeytypes=true
    
    V7.0 and higher:
    com.ibm.websphere.security.useAllSSLClientAuthKeytypes=true
    
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 7.0.0.41, 8.0.0.13, and 8.5.5.10.  Please refer to
    the Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI53397

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    610

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-12-01

  • Closed date

    2016-02-01

  • Last modified date

    2016-02-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R61A PSY

       UP

  • R61H PSY

       UP

  • R61I PSY

       UP

  • R61P PSY

       UP

  • R61S PSY

       UP

  • R61Z PSY

       UP

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 610

Reference #: PI53397

Modified date: 23 February 2016