Fixes are available
8.5.0.2: WebSphere Application Server V8.5 Fix Pack 2
8.0.0.6: WebSphere Application Server V8.0 Fix Pack 6
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
8.0.0.7: WebSphere Application Server V8.0 Fix Pack 7
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
APAR status
Closed as program error.
Error description
When the Ws-Security custom property com.ibm.wsspi.wssecurity.core.NonceClockSkew is set to a valid value in the WS-Security policy bindings, the UNTConsumeLoginModule defaults the value back to -1.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server * * administrators of WS-Security enabled * * JAX-WS applications * **************************************************************** * PROBLEM DESCRIPTION: When the NonceClockSkew is set in the * * WS-Security bindings, the * * UNTConsumeLoginModule defaults the * * value to -1. * **************************************************************** * RECOMMENDATION: Install a fix pack that contains this * * APAR. * **************************************************************** When the WS-Security custom property com.ibm.wsspi.wssecurity.core.NonceClockSkew is set to a valid value in the WS-Security policy bindings, the UNTConsumeLoginModule defaults the value back to -1. Also, even though a setting may be set and evaluated somewhere in WS-Security bindings (default, general, or application specific), the setting may appear to be reset to the default when the property is used in the UNTConsumeLoginModule.
Problem conclusion
The com.ibm.wsspi.wssecurity.core.NonceClockSkew property is not documented for use for the Nonce ClockSkew. This is an internal property. It had been mistakenly used in the APAR text for PM66441 . The property name to use for Nonce ClockSkew is com.ibm.ws.wssecurity.config.token.BasicAuth.Nonce.clockSkew. The property also exhibits the behavior reported in this APAR. When the com.ibm.ws.wssecurity.config.token.BasicAuth.Nonce.clockSkew custom property is set to any value, the code that reads the custom property String values sets an internal property to a Java Integer object that corresponds to the String object and puts in a HashMap. When the UNTConsumeLoginModule retrieves the internal object from the HashMap, it casts the object to a Long instead of an Integer causing an error. Because of the error, the UNTConsumeLoginModule defaults the value to -1. The UNTConsumeLoginModule is updated to cast the internal object to an Integer when retrieving it from the HashMap. For the next problem, where the properties appear to be reset to the default. The following properties are used for Nonce for a UsernameToken: com.ibm.ws.wssecurity.config.token.BasicAuth.Nonce.clockSkew com.ibm.ws.wssecurity.config.token.BasicAuth.Nonce.maxAge com.ibm.ws.wssecurity.config.token.BasicAuth.Nonce.cacheTimeout If these properties appear in the custom propertis in the "JAX-WS and JAX-RPC security runtime" (ws-security.xml) at the server and/or cell level, these properties will absolutely override any of these properties set in the set in any of the JAX-WS bindings. When an application server is created, all three of these properties are put into ws-security.xml and they are set to the default values. The JAX-WS runtime is updated to behave as follows: The nonce properties can be set in ws-security.xml or in any of the JAX-WS bindings. However, there are many rules to how the values are set and used. The nonce cache timeout will be evaluated when loading the ws-security.xml and default general bindings. * Once the nonce cache manager is instantiated, the cache timeout cannot be changed. * If there is a value in ws-security.xml and distributed caching is enabled, the value in ws-security.xml is used absolutely. * Otherwise, the value in the general binding takes precedence over the value in ws-security.xml. The first general binding loaded wins. * Because the runtime cannot distinguish the difference between the default provider bindings and default client bindings and the order those bindings are loaded is indeterminate, if a property is set in both the default provider and default client bindings, the property that will be used is indeterminate. The nonce max age and clock skew can be set in ws-security.xml or in any of JAX-WS bindings. The priority follows, highest at the top: General/Application specific bindings Default Bindings ws-security.xml If a propery is not set at the level that is being used, the value for the property will be inherited from the level before it. If a property is not set at all, the default value will be used. The values for nonce clock skew and max age are validated before they are used. Here are the rules, evaluated from left to right: cacheTimeout > maxAge >= clockSkew If a value is determined to be not valid, it is returned to its default value. The fix for this APAR is currently targeted for inclusion in fix packs 7.0.0.29, 8.0.0.6, and 8.5.0.2. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PM71568
Reported component name
XML FEATUREPACK
Reported component ID
5724J0856
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2012-08-24
Closed date
2012-11-13
Last modified date
2012-11-13
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
R700 PSY
UP
R800 PSY
UP
R850 PSY
UP
Document Information
Modified date:
29 October 2021