PM10442: SAMLGenerateCallbackHandler does not allow adjusting life time of self-issued SAML tokens to tolerate clock skew

Fixes are available

APAR status

Closed as program error.

Error description

Self-issued SAML tokens that are generated by the
SAMLGenerateLoginModule class are rejected by web services
providers when their NotBefore time or NotOnOrAfter time
are invalid due to clock differences between the sending server
machine and the receiving server machine.

You can adjust the clockSkew configuration property of the
SAMLConsumerCallbackHandler to compensate for the clock
difference.  However, this is not an option when you are not
using the SAMLConsumerLoginModule or if you are using a third
party web services provider that does not support clock skew
adjustment.

Local fix

```
N/A
```

Problem summary

****************************************************************
* USERS AFFECTED:  IBM WebSphere Application Server V7.0 users *
*                  of JAX-WS applications that use the         *
*                  SAMLGenerateCallbackHandler class in        *
*                  WS-Security binding configuration.          *
****************************************************************
* PROBLEM DESCRIPTION: There is no configuration option when   *
*                      creating self-issued SAML tokens to     *
*                      compensate for possible clock skew.     *
*                                                              *
*                                                              *
*                                                              *
*                                                              *
****************************************************************
* RECOMMENDATION:  Install a fix pack that includes this APAR. *
****************************************************************
When self-issued SAML tokens are generated using the
SAMLGenerateLoginModule class, the NotBefore and NotOnOrAfter
time is determined using the current system time.
SAMLGenerateLoginModule does not provide a configuration
option to adjust the time to compensate for possible clock
skew in a distributed computing environment.

Ordinarily, such clock differences are accounted for on the
receiver side with some sort of clock skew configuration.
However, some third-party WS-Security implementations only
allow the clock difference be applied to the sender side;
there is no way to compensate for clock differences on the
receiver side.

The SAMLGenerateLoginModule should have the ability to
configure a clock skew for the NotBefore time and NotOnOrAfter
time in order to interoperate properly with these types of
WS-Security implementations in a distributed computing
environment.

Problem conclusion

The SAMLGenerateLoginModule class in the JAX-WS WS-Security
runtime is updated to allow a clock skew to be configured.
The following WS-Security custom property is added

clockSkew=valueInMinutes

The value must be numeric and is specified in minutes.

The value entered will adjust the times in the self-issued
SAML token created by SAMLGenerateLoginModule as follows:

The new NotBefore will equal NotBefore before the clockSkew is
applied minus the clockSkew setting
The new NotAfter will equal NotAfter before the clockSkew is
applied plus the clockSkew setting

The clockSkew property is set on the Callback handler of the
SAML token generator that uses the SAMLGenerateLoginModule
class.  Following is an example of navigating to the proper
location to set the clockSkew WS-Security custom property in
the administrative console:

Services->Service clients->(bindingName)->WS-Security->
Authentication and protection->(tokenName)->Callback handler

The fix for this APAR is currently targeted for inclusion in
fix pack 7.0.0.15.  Please refer to the Recommended Updates
page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PM10442
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-03-20
Closed date
2010-09-15
Last modified date
2010-09-15

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800

Applicable component levels

R700 PSY
UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
24 October 2021

Tips

PM10442: SAMLGenerateCallbackHandler does not allow adjusting life time of self-issued SAML tokens to tolerate clock skew

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R700 PSY

Document Information

Share your feedback

Need support?