IBM Support

PI54960: PROVIDE PROPERTY TO SET JAVA SECURITY ALGORITHM RELATED PROPERTIES

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • WebSphere Application Server properties that will be read and
    then use the value to set java Security algorithm property if
    not already set in the java.security file.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: The server needs a way to set java      *
    *                      security properties                     *
    *                      jdk.tls.disabledAlgorithms and         *
    *                      jdk.certpath.disabledAlgorithms.       *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    WebSphere Application Server will set
    jdk.tls.disabledAlgorithms and
    jdk.certpath.disabledAlgorithms properties programmatically.
    

Problem conclusion

  • The JRE has started disabling algorithms that are weak or are
    considered vulnerable.  The JRE disables these algorithms by
    setting them on the jdk.tls.disabledAlgorithms and
    jdk.certpath.disabledAlgorithms Security properties in the
    java.security file.  The jdk.tls.disabledAgorithms property is
    used to disable algorithms during TLS handshaking.  The
    jdk.certpath.disabledAlgorithms is used to disable algorithms
    during certification path processing.   WebSphere does not
    modify the java.security file in the service stream.   To  make
    sure the server is at the recommended level of security
    WebSphere will be programmatically setting these properties.
    During server startup jdk.tls.disabledAlgorithms will be set to
    SSLv3, RC4, DH keySize < 768, MD5withRSA and
    jdk.certpath.disabledAlgorithms will be set to MD2, RSA keySize
    < 1024, MD5 programmatically.   And informational message will
    be printed in the SystemOut.log file informing users what
    WebSphere is setting them to.
    
    There are 2 new WebSphere security custom properties that users
    can use to either customize what is set by the Security
    properties or to tell WebSphere to not programmatically set the
    properties at all.
    
    1.  The com.ibm.websphere.tls.disabledAlgorithms security custom
    property can either be used to tell WebSphere to set a custom
    list of algorithms to disable during TLS handshaking or if user
    do not want WebSphere to programmatically set the java Security
    property java.tls.disabledAlgorithms they can set
    com.ibm.websphere.tls.disabledAlgorithms to none.
    2.  The com.ibm.websphere.certpath.disabledAlgorithms security
    custom property can either be used to tell WebSphere to set a
    custom list of algorithms to disable during certification path
    processing or if user do not want WebSphere to programmatically
    set the java Security property java.certpath.disabledAlgorithms
    they can set com.ibm.websphere.certpath.disabledAlgorithms to
    none.
    
    To set a security custom property on the Admin Console go to:
    Security > Global security > Custom properties
    Select New,  in the box labled Name add
    com.ibm.websphere.tls.disabledAlgorithms or
    com.ibm.websphere.certpath.disabledAlgorithms and in the box
    labeled Value enter either a comma separated list algorithms or
    none if you don't want WebSphere to set the Security properties.
    Apply and  Save the changes.
    
    The server will need to be restarted for the properties to take
    effect.
    
    
    
    
    
    
    
    
    
    
    
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 7.0.0.41, 8.0.0.13, and 8.5.5.10.  Please refer to the
    Recommended Updates
    page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI54960

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-01-07

  • Closed date

    2016-02-03

  • Last modified date

    2016-04-20

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PI54960

Modified date: 20 April 2016