IBM Support

PM12971: JAX-RPC WS-SECURITY STR-TRANSFORM PROCESSING IS INCORRECT

Fixes are available

PM12971; 6.1.0.35: jax-rpc ws-security str-transform processing is incorrect
6.1.0.37: Java SDK 1.5 SR12 FP3 Cumulative Fix for WebSphere
7.0.0.17: Java SDK 1.6 SR9 FP1 Cumulative Fix for WebSphere Application Server
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server
7.0.0.19: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.21: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere
7.0.0.23: Java SDK 1.6 SR10 FP1 Cumulative Fix for WebSphere
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • The JAX-RPC WS-Security runtime cannot properly generate or
    consume signed security tokens that are signed with
    STR-Transform.
    
    The STR-Transform process must be used in order to sign custom
    security tokens that do not contain the wsu:Id attribute.
    

Local fix

  • No work around noted at this time.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server V6.1 and   *
    *                  V7.0 users of WS-Security enabled JAX-RPC   *
    *                  web services applications and digital       *
    *                  signature                                   *
    ****************************************************************
    * PROBLEM DESCRIPTION: JAX-RPC WS-Security runtime cannot      *
    *                      properly generate or consume signed     *
    *                      security tokens that are signed with    *
    *                      STR-Transform                           *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that includes this APAR. *
    ****************************************************************
    The JAX-RPC WS-Security 1.0 runtime cannot properly generate or
    consume a security token that is referenced with a
    SecurityTokenReference that is signed with the STR Dereference
    Transform reference option.
    
    The STR-Transform Transform algorithm will be specified in the
    Reference in the Signature element when the STR Dereference
    Transform reference option is being used.  The Reference
    element will point to the SecurityTokenReference for the
    security token that is to be signed.
    
    The STR-Transform process must be used in order to sign custom
    security tokens that do not contain the wsu:Id attribute, or
    any security token that does not appear in the message.
    
    When the JAX-RPC runtime is configured to sign a security
    token using STR-Transform, the runtime will add a wsu:Id
    attribute directly to the security token and not add the
    required wsse:SecurityTokenReference element.  This is not
    acceptable for tokens that do not allow the wsu:Id attribute,
    such as SAML tokens.
    
    When the JAX-RPC runtime receives a
    wsse:SecurityTokenReference element that is outside of the
    Signature element in the SOAP security header, which is
    required for a security token that is signed with
    STR-Transform, an error like the following will occur:
    
    WSEC5503E: Unknown element wsse:SecurityTokenReference in the
    wsse:Security element.
    
    The STR-Transform transform algorithm is:
    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-mes
    sage-security-1.0#STR-Transform
    
    The wsse:SecurityTokenReference element is:
    {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur
    ity-secext-1.0.xsd}SecurityTokenReference
    
    The wsu:Id attribute is:
    {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur
    ity-utility-1.0.xsd}Id
    

Problem conclusion

  • The JAX-RPC WS-Security 1.0 runtime is updated to properly
    generate and consume security tokens that are signed using
    STR-Transform in the following conditions:
    
    * The security token can be referenced by a Reference element
    within a wsse:SecurityTokenReference element
    -or-
    * The token is a SAML 1.1 or SAML 2.0 Assertion that can be
    referenced by a KeyIdentifier element in the
    wsse:SecurityTokenReference element.
    
    Any token that must be referred to with a KeyIdentifier that
    is not a SAML 1.1 or 2.0 Assertion is not supported.  This
    includes tokens that do not appear in the message.
    
    For the purposes of this APAR, the UsernameToken, X.509,
    and LTPA tokens were those tested for
    wsse:SecurityTokenReference/Reference.
    
    The SAML 1.1 Assertion is:
    {urn:oasis:names:tc:SAML:1.0:assertion}Assertion
    
    The SAML 2.0 Assertion is:
    {urn:oasis:names:tc:SAML:2.0:assertion}Assertion
    
    This APAR only applies to the JAX-RPC WS-Security 1.0 runtime.
    The JAX-RPC Draft 13 runtime was not updated.
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 6.1.0.37 and 7.0.0.17.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM12971

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    60Z

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-04-23

  • Closed date

    2010-12-07

  • Last modified date

    2010-12-07

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R61A PSY

       UP

  • R61H PSY

       UP

  • R61I PSY

       UP

  • R61P PSY

       UP

  • R61S PSY

       UP

  • R61W PSY

       UP

  • R61Z PSY

       UP

  • R700 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 6.0

Reference #: PM12971

Modified date: 07 December 2010