Fixes are available
8.5.0.2: WebSphere Application Server V8.5 Fix Pack 2
8.0.0.6: WebSphere Application Server V8.0 Fix Pack 6
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
8.0.0.7: WebSphere Application Server V8.0 Fix Pack 7
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
APAR status
Closed as program error.
Error description
The following exception may occur when a SAML token is received by WS-Security: PKIXCertPathBuilderImpl could not build a valid CertPath From System.out: com.ibm.websphere.wssecurity.wssapi.WSSException: PKIXCertPathBuilderImpl could not build a valid CertPath.: java. security.cert.CertPathValidatorException: The revocation status of the certificate with subject (EMAILADDRESS=xxx, CN=xxx, OU=xxx O=xxx, C=xxx) could not be determined.>
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * WS-Security enabled JAX-WS applications * * and SAML * **************************************************************** * PROBLEM DESCRIPTION: CertPathValidatorException may occur * * when JAX-WS WS-Security validates a * * SAML token. * **************************************************************** * RECOMMENDATION: Install a fix pack that contains this APAR * * * **************************************************************** When JAX-WS WS-Security validates a SAML token, an error similar to the following may occur: PKIXCertPathBuilderImpl could not build a valid CertPath.: java.security.cert.CertPathValidatorException: The revocation status of the certificate with subject ([email protected], CN=austin.ibm.com, OU=WAS, C=US) could not be determined. The error will occur when all of the following conditions are met: 1) signatureRequired property is set to true 2) trustAnySigner property is set to false 3) No intermediate certificates are provided using the X509PATH or X509PATH_n properties 4) No CRL files are provided using the CRLPATH or CRLPATH_n properties 5) The certificate is not self-signed 6) There is sufficient information in the trust store for Java security to build a valid certPath for the inbound certificate. This means that there should be a trusted certificate in the trust store for each entity in the inbound certificate's issuer chain.
Problem conclusion
When a certificate is validated using Java security, the default for processing certificate revocation is true. There are certain requirements for processing certificate revocation that many certificates do not meet. If the certificate revocation flag is not turned on and a certificate is processed that does not meet the revocation criteria, a CertPathValidatorException error will occur. If the administrator does not want to do certificate revocation (that is, CRL files were not configured), the certificate revocation flag should be turned off before processing the certificate with Java security. The JAX-WS WS-Security is changed to ensure that the certificate revocation flag is turned off when appropriate before processing a certificate obtained from a SAML token with Java security. The fix for this APAR is currently targeted for inclusion in fix packs 7.0.0.29, 8.0.0.6 and 8.5.0.2. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PM78275
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2012-12-03
Closed date
2012-12-20
Last modified date
2013-01-18
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R700 PSY
UP
R800 PSY
UP
R850 PSY
UP
Document Information
Modified date:
29 October 2021