IBM Support

PM10442: SAMLGenerateCallbackHandler does not allow adjusting life time of self-issued SAML tokens to tolerate clock skew

Fixes are available

7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for AIX
7.0.0.15: Java SDK 1.6 SR9 Cumulative Fix for WebSphere Application Server
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for HP-UX
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for IBM i
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Linux
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Solaris
7.0.0.15: WebSphere Application Server V7.0 Fix Pack 15 for Windows
7.0.0.17: WebSphere Application Server V7.0 Fix Pack 17
7.0.0.17: Java SDK 1.6 SR9 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.19: WebSphere Application Server V7.0 Fix Pack 19
7.0.0.21: WebSphere Application Server V7.0 Fix Pack 21
7.0.0.23: WebSphere Application Server V7.0 Fix Pack 23
7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
7.0.0.19: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.21: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere
7.0.0.23: Java SDK 1.6 SR10 FP1 Cumulative Fix for WebSphere
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Self-issued SAML tokens that are generated by the
    SAMLGenerateLoginModule class are rejected by web services
    providers when their NotBefore time or NotOnOrAfter time
    are invalid due to clock differences between the sending server
    machine and the receiving server machine.
    
    You can adjust the clockSkew configuration property of the
    SAMLConsumerCallbackHandler to compensate for the clock
    difference.  However, this is not an option when you are not
    using the SAMLConsumerLoginModule or if you are using a third
    party web services provider that does not support clock skew
    adjustment.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server V7.0 users *
    *                  of JAX-WS applications that use the         *
    *                  SAMLGenerateCallbackHandler class in        *
    *                  WS-Security binding configuration.          *
    ****************************************************************
    * PROBLEM DESCRIPTION: There is no configuration option when   *
    *                      creating self-issued SAML tokens to     *
    *                      compensate for possible clock skew.     *
    *                                                              *
    *                                                              *
    *                                                              *
    *                                                              *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that includes this APAR. *
    ****************************************************************
    When self-issued SAML tokens are generated using the
    SAMLGenerateLoginModule class, the NotBefore and NotOnOrAfter
    time is determined using the current system time.
    SAMLGenerateLoginModule does not provide a configuration
    option to adjust the time to compensate for possible clock
    skew in a distributed computing environment.
    
    Ordinarily, such clock differences are accounted for on the
    receiver side with some sort of clock skew configuration.
    However, some third-party WS-Security implementations only
    allow the clock difference be applied to the sender side;
    there is no way to compensate for clock differences on the
    receiver side.
    
    The SAMLGenerateLoginModule should have the ability to
    configure a clock skew for the NotBefore time and NotOnOrAfter
    time in order to interoperate properly with these types of
    WS-Security implementations in a distributed computing
    environment.
    

Problem conclusion

  • The SAMLGenerateLoginModule class in the JAX-WS WS-Security
    runtime is updated to allow a clock skew to be configured.
    The following WS-Security custom property is added
    
    clockSkew=valueInMinutes
    
    The value must be numeric and is specified in minutes.
    
    The value entered will adjust the times in the self-issued
    SAML token created by SAMLGenerateLoginModule as follows:
    
    The new NotBefore will equal NotBefore before the clockSkew is
    applied minus the clockSkew setting
    The new NotAfter will equal NotAfter before the clockSkew is
    applied plus the clockSkew setting
    
    The clockSkew property is set on the Callback handler of the
    SAML token generator that uses the SAMLGenerateLoginModule
    class.  Following is an example of navigating to the proper
    location to set the clockSkew WS-Security custom property in
    the administrative console:
    
    Services->Service clients->(bindingName)->WS-Security->
    Authentication and protection->(tokenName)->Callback handler
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 7.0.0.15.  Please refer to the Recommended Updates
    page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM10442

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-03-20

  • Closed date

    2010-09-15

  • Last modified date

    2010-09-15

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PM10442

Modified date: 15 September 2010