IBM Support

PI69720: CWWSS7542E ERROR IN WEB SERVICES SECURITY SAML CAN BE MISLEADING

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • You can get the CWWSS7542E error message in Web Services
    Security SAML when the DN of the signer certificate that signed
    the SAML assertion does not match
    sso_<id>.idp_<id>.allowedIssuerDN.
    
    CWWSS7542E: The [{0}] SAML issuer name or signer SubjectDN of
    the certificate are not trusted.
    
    This message implies that the Issuer element in the SAML
    Assertion is incorrect, not that the signer certificate is
    incorrect.
    

Local fix

  • Add the subjectDN of the certificate as a trustedSubjectDN.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  WS-Security enabled web services            *
    *                  applications and SAML                       *
    ****************************************************************
    * PROBLEM DESCRIPTION: More diagnostics are required when      *
    *                      trustedIssuer and/or trustedSubjectDN   *
    *                      validation fails in WS-Security         *
    *                      SAML                                    *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    In WS-Security SAML, when the trustedIssuer and/or
    trustedSubjectDN validation fails, the error message that is
    emitted does not give enough information required to resolve
    the issue.
    1) The SubjectDN name isn't in the error message.
    2) The error message doesn't say if Issuer validation,
    SubjectDN validation, or Issuer/SubjectDN validation failed.
    

Problem conclusion

  • The error handling in the trustedIssuer and trustedSubjectDN
    processing in the  WS-Security SAML code is updated to
    produce messages that are more useful.
    
    ==========================================
    The CWWSS7542E message is updated to add an insert fo the name
    of the SubjectDN:
    
    CWWSS7542E: The [{0}] SAML issuer name or [{1}] signer
    SubjectDN of the certificate are not trusted.
    
    ==========================================
    The following messages are added:
    
    CWWSS8044E: The allowed issuer validation failed for the [{0}]
    SAML issuer name and the [{1}] Subject DN of the signer
    certificate.  The SAML issuer and Subject DN are part of a
    pair so both must be trusted.
    
    CWWSS8045E: The Subject DN [{0}] of the signer certificate in
    the SAML Assertion is not trusted.
    
    CWWSS8046E: The Issuer name [{0}] in the SAML Assertion is not
    trusted.
    
    CWWSS8047E: The signer certificate is not available.  Either
    the SAML Assertion was not signed or it was not required to be
    signed.  Ensure that the [{0}] custom property is set to true.
    
    ==========================================
    The following existing messages are also used:
    
    CWSML7003E: The [{0}] attribute on the Assertion element is
    missing or empty.
    
    CWSML7029E: An X.509 certificate was not obtained from the
    KeyInfo element in the Security Assertion Markup Language
    (SAML) assertion, so trust cannot be evaluated.  Either use a
    KeyInfo method that yields a usable X.509 certificate or turn
    off trust validation.  The supported methods are [{0}].
    
    ==========================================
    Instead of just CWWSS7542E, the main error message that you
    will see in SystemOut.log or a trace for the
    trustedIssuer/trustesSubjectDN validation errors will be
    CWWSS7542E, CWWSS8044E, CWWSS8045E or CWWSS8046E.
    
    The message is attached to an exception.  The exception may
    have a cause attached to it that you can see in the call stack
    (either in an SystemOut.log, FFDC or trace)
    
    
    For instance, consider the following scenarios:
    
    ==========================================
    trustdIssuer_1=com.ibm.whatever
    
    (Receive a SAML with Issuer=com.ibm.abc)
    
    CWWSS8046E: The Issuer name [com.ibm.abc] in the SAML
    Assertion is not trusted.
    
    ==========================================
    trustedSubjectDN_1=N=whatever, OU=AIM, O=IBM, ST=TX, C=US
    
    (Receive a SAML signed by N=myx509cert, OU=AIM, O=IBM,
    ST=TX, C=US)
    
    CWWSS8045E: The Subject DN [N=myx509cert, OU=AIM, O=IBM,
    ST=TX, C=US] of the signer certificate in the SAML Assertion
    is not trusted.
    
    ==========================================
    trustdIssuer_1=com.ibm.whatever
    
    (Receive a SAML with no Issuer)
    
    CWWSS8046E: The Issuer name [] in the SAML Assertion is not
    trusted.
      caused by
    CWSML7003E: The [Issuer] attribute on the Assertion element is
    missing or empty.
    
    ==========================================
    trustdIssuer_1=com.ibm.whatever
    trustedSubjectDN_2=N=whatever, OU=AIM, O=IBM, ST=TX, C=US
    
    (Receive a SAML with no Issuer and not signed):
    
    CWWSS7542E: The [] SAML issuer name or [] signer
    SubjectDN of the certificate are not trusted.
     caused by
    CWSML7003E: The [Issuer] attribute on the Assertion element is
    missing or empty.  CWWSS8047E: The signer certificate is not
    available.  Either the SAML Assertion was not signed or it was
    not required to be signed.  Ensure that the
    [signatureRequired] custom property is set to true.
    
    ==========================================
    trustedSubjectDN_1=N=myx509cert, OU=AIM, O=IBM, ST=TX, C=US
    trustdIssuer_2=com.ibm.whatever
    trustedSubjectDN_2=N=whatever, OU=AIM, O=IBM, ST=TX, C=US
    
    (Receive a SAML with Issuer=com.ibm.whatever, signed by
    N=myx509cert, OU=AIM, O=IBM, ST=TX, C=US)
    
    CWWSS8044E: The allowed issuer validation failed for the
    [com.ibm.whatever] SAML issuer name and the [N=myx509cert,
    OU=AIM, O=IBM, ST=TX, C=US] Subject DN of the signer
    certificate.  The SAML issuer and Subject DN are part of a
    pair so both must be trusted.
      caused by
    CWWSS8045E: The Subject DN [N=myx509cert, OU=AIM, O=IBM,
    ST=TX, C=US] of the signer certificate in the SAML Assertion
    is not trusted.
    
    Notice that, although "N=myx509cert, OU=AIM, O=IBM,
    ST=TX, C=US" is trusted, the Issuer "com.ibm.whatever" is part
    of a trusted pair.  This means that when the Issuer is
    "com.ibm.whatever", the SubjectDN must be "whatever, OU=AIM,
    O=IBM, ST=TX, C=US".
    
    ==========================================
    Following are the explanation and action for CWWSS8044E:
    
    Explanation:
    The Issuer name and the Subject DN shown in the message are
    part of a trusted pair in the SAML token consumer
    configuration.  A trusted pair is [trustedIssuer_n] and
    [trustedSubjectDN_n] where n is the same number.  Either the
    Issuer name in the token is part of a pair and the Subject DN
    of the signer certificate doesn't match its pair or the other
    way around.  The Issuer or Subject DN that is not trusted will
    be added as a cause to this message and will be visible in the
    FFDC logs.
    
    Action:
    Do one of the following: 1) Ensure that the SAML token
    contains the Issuer name shown in the message and is signed
    with a certificate that has the Subject DN shown in the
    message.  2) Change the [trustedIssuer_n] [trustedSubjectDN_n]
    pair in the SAML token consumer configuration to be the Issuer
    name and the Subject DN of the signer certificate of the SAML
    token.  3) Remove the pair association of [trustedIssuer_n]
    [trustedSubjectDN_n] in your SAML token consumer by changing
    the 'n' to different numbers for each custom property.
    
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 7.0.0.43, 8.0.0.14, 8.5.5.12, 9.0.0.3.  Please refer
    to the Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI69720

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-09-26

  • Closed date

    2016-12-13

  • Last modified date

    2016-12-13

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP

  • R900 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 8.0

Reference #: PI69720

Modified date: 13 December 2016