IBM Support

PM71568: WS-SECURITY NONCECLOCKSKEW PROPERTY IS ALWAYS SET TO -1 IN THE USERNAMETOKEN CONSUMER

Fixes are available

8.5.0.2: WebSphere Application Server V8.5 Fix Pack 2
8.0.0.6: WebSphere Application Server V8.0 Fix Pack 6
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
8.0.0.7: WebSphere Application Server V8.0 Fix Pack 7
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • When the Ws-Security custom property
    com.ibm.wsspi.wssecurity.core.NonceClockSkew is set to a valid
    value in the WS-Security policy bindings, the
    UNTConsumeLoginModule defaults the value back to -1.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server            *
    *                  administrators of WS-Security enabled       *
    *                  JAX-WS applications                         *
    ****************************************************************
    * PROBLEM DESCRIPTION: When the NonceClockSkew is set in the   *
    *                      WS-Security bindings, the               *
    *                      UNTConsumeLoginModule defaults the      *
    *                      value to -1.                            *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    When the WS-Security custom property
    com.ibm.wsspi.wssecurity.core.NonceClockSkew is set to a valid
    value in the WS-Security policy bindings, the
    UNTConsumeLoginModule defaults the value back to -1.
    Also, even though a setting may be set and evaluated somewhere
    in WS-Security bindings (default, general, or application
    specific), the setting may appear to be reset to the default
    when the property is used in the UNTConsumeLoginModule.
    

Problem conclusion

  • The com.ibm.wsspi.wssecurity.core.NonceClockSkew property is
    not documented for use for the Nonce ClockSkew.  This is an
    internal property.  It had been mistakenly used in the APAR
    text for PM66441 .  The property name to use for Nonce
    ClockSkew is
    com.ibm.ws.wssecurity.config.token.BasicAuth.Nonce.clockSkew.
    The property also exhibits the behavior reported in this APAR.
    
    When the
    com.ibm.ws.wssecurity.config.token.BasicAuth.Nonce.clockSkew
    custom property is set to any value, the code that reads the
    custom property String values sets an internal property to a
    Java Integer object that corresponds to the String object and
    puts in a HashMap.  When the UNTConsumeLoginModule retrieves
    the internal object from the HashMap, it casts the object to a
    Long instead of an Integer causing an error.  Because of the
    error, the UNTConsumeLoginModule defaults the value to -1.
    
    The UNTConsumeLoginModule is updated to cast the internal
    object to an Integer when retrieving it from the HashMap.
    
    For the next problem, where the properties appear to be reset
    to the default.  The following properties are used for Nonce
    for a UsernameToken:
    
    com.ibm.ws.wssecurity.config.token.BasicAuth.Nonce.clockSkew
    com.ibm.ws.wssecurity.config.token.BasicAuth.Nonce.maxAge
    com.ibm.ws.wssecurity.config.token.BasicAuth.Nonce.cacheTimeout
    
    If these properties appear in the custom propertis in the
    "JAX-WS and JAX-RPC security runtime" (ws-security.xml) at the
    server and/or cell level, these properties will absolutely
    override any of these properties set in the set in any of the
    JAX-WS bindings.  When an application server is created, all
    three of these properties are put into ws-security.xml and
    they are set to the default values.
    
    The JAX-WS runtime is updated to behave as follows:
    
    The nonce properties can be set in ws-security.xml or in any
    of the JAX-WS bindings.  However, there are many rules to how
    the values are set and used.
    
    The nonce cache timeout will be evaluated when loading the
    ws-security.xml and default general bindings.
    
    * Once the nonce cache manager is instantiated, the cache
    timeout cannot be changed.
    * If there is a value in ws-security.xml and distributed
    caching is enabled, the value in ws-security.xml is used
    absolutely.
    * Otherwise, the value in the general binding takes precedence
    over the value in ws-security.xml.  The first general binding
    loaded wins.
    * Because the runtime cannot distinguish the difference
    between the default provider bindings and default client
    bindings and the order those bindings are loaded is
    indeterminate, if a property is set in both the default
    provider and default client bindings, the property that will
    be used is indeterminate.
    
    The nonce max age and clock skew can be set in ws-security.xml
    or in any of JAX-WS bindings.  The priority follows, highest
    at the top:
    
    General/Application specific bindings
    Default Bindings
    ws-security.xml
    
    If a propery is not set at the level that is being used, the
    value for the property will be inherited from the level before
    it.  If a property is not set at all, the default value will
    be used.
    
    The values for nonce clock skew and max age are validated
    before they are used.  Here are the rules, evaluated from left
    to right:
    
    cacheTimeout > maxAge >= clockSkew
    
    If a value is determined to be not valid, it is returned to
    its default value.
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 7.0.0.29, 8.0.0.6, and 8.5.0.2.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM71568

  • Reported component name

    XML FEATUREPACK

  • Reported component ID

    5724J0856

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-08-24

  • Closed date

    2012-11-13

  • Last modified date

    2012-11-13

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PM71568

Modified date: 13 November 2012