IBM Support

PM86382: USING RSA AUTHENTICATION WITH HW CRYPTO FAILS WITH JAVAX.CRYPTO.BADPADDINGEXCEPTION

Fixes are available

8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
8.5.5.2: WebSphere Application Server V8.5.5 Fix Pack 2
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
8.5.5.3: WebSphere Application Server V8.5.5 Fix Pack 3
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.5.5.4: WebSphere Application Server V8.5.5 Fix Pack 4
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.5.5.5: WebSphere Application Server V8.5.5 Fix Pack 5
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • When Hardware Crypto is used with administrative authentication
    set to RSA (which is the default in Base Appserver environment
    only) administrative tasks such as app deployments etc., fail.
    
    The Log shows a message like this:
    
    Trace: 2013/02/14 18:32:12.221 01 t=AAF108 c=UNK key=S2
    (13007002)
       ThreadId: 0000001e
       FunctionName:
    com.ibm.ws.security.auth.rsatoken.RSAPropagationManager
       SourceId:
    com.ibm.ws.security.auth.rsatoken.RSAPropagationManager
       Category: SEVERE
       ExtendedMessage: BBOO0220E: JSAS0803E:  The received admin
    RSA token failed validation.  The exception message is: The
    signature of the rsa token was not verified.
    
    
    The respective ffdc log entry is:
    
    extracell_extranode_WebSphere_Portal_W64IP11_STC05256_0000068800
    000004_c380c38_13.02.14_18.32.11.9104745420026184471791.txt
    [2/14/13 18:32:11:910 CET]     FFDC
    Exception:javax.crypto.BadPaddingException
    SourceId:com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.a
    esDecryptBytes ProbeId:919
    Reporter:com.ibm.ws.security.auth.rsatoken.RSAPropagationToken@1
    df11df1
    javax.crypto.BadPaddingException: Given final block not
    properly padded
     at com.ibm.crypto.provider.AESCipher.engineDoFinal(Unknown
    Source)
     at com.ibm.crypto.provider.AESCipher.engineDoFinal(Unknown
    Source)
     at javax.crypto.Cipher.doFinal(Unknown Source)
     at
    com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.aesDecrypt
    Bytes(RSAPropagationToken.java:952)
     at
    com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.decryptAnd
    VerifyRSAToken(RSAPropagationToken.java:719)
     at
    com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.readRSAPro
    pagationTokenV1Bytes(RSAPropagationToken.java:387)
     at
    com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.readBytes(
    RSAPropagationToken.java:298)
     at
    com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.<init>(RSA
    PropagationToken.java:116)
     at
    com.ibm.ws.security.auth.rsatoken.RSAPropagationManager.validate
    RSAPropagationToken(RSAPropagationManager.java:296)
     at
    com.ibm.ISecurityLocalObjectTokenBaseImpl.WSSecurityContextAdmin
    RSAPropImpl.acceptSecContext(WSSecurityContextAdminRSAPropImpl.j
    ava:342)
     at
    com.ibm.ISecurityLocalObjectTokenBaseImpl.WSSecurityContextAdmin
    RSAPropImpl.acceptSecContext(WSSecurityContextAdminRSAPropImpl.j
    ava:246)
     at
    com.ibm.ISecurityLocalObjectTokenBaseImpl.WSSecurityContextAdmin
    RSAPropImpl.acceptSecContext(WSSecurityContextAdminRSAPropImpl.j
    ava:238)
     at
    com.ibm.ws.management.connector.soap.SOAPConnector.tokenBasedAut
    h(SOAPConnector.java:584)
     at
    com.ibm.ws.management.connector.soap.SOAPConnector.service(SOAPC
    onnector.java:216)
     at
    com.ibm.ws.management.connector.soap.SOAPConnection.handleReques
    t(SOAPConnection.java:65)
     at
    com.ibm.ws.http.HttpConnection.readAndHandleRequest(HttpConnecti
    on.java:733)
     at
    com.ibm.ws.http.HttpConnection.run(HttpConnection.java:522)
     at
    com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1613)
    

Local fix

  • Use LTPA instead of RSA
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server V7.0, V8.0 and V8.5                  *
    ****************************************************************
    * PROBLEM DESCRIPTION: RSA tokens fail to be                   *
    *                      decrypted/encrypted when using some     *
    *                      Hardware Crypto cards.                  *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Some hardware crypto cards are not
    compatible with the RSA software keys.
    resulting in "The signature of the rsa
    token was not verified."
    

Problem conclusion

  • Security Custom Property
    com.ibm.ws.security.rsa.forceSoftwareJCEProviderForRSA has
    been added to utilize the default software JCE provider,
    instead of IBMJCECCA if set to "true".
    
    APAR PM86382 requires changes to documentation.
    
    NOTE: Periodically, we refresh the documentation on our Web
    site, so the changes might have been made before you read this
    text. To access the latest on-line documentation, go to the
    product library page at:
    
    http://www.ibm.com/software/webservers/appserv/library
    
    The following changes to the WebSphere Application Server
    Version 7.0 Information Center will be made available in
    December, 2013.
    
    Topic "Security custom properties" will be updated to include
    the description of the following custom property:
    
    com.ibm.ws.security.rsa.forceSoftwareJCEProviderForRSA
    
    Use the com.ibm.ws.security.rsa.forceSoftwareJCEProviderForRSA
    custom property to force RSA token validation to be done in
    software.
    
    Some hardware crypto cards are not compatible with the RSA
    tokens. If you receive the message "The signature of the rsa
    token was not verified", you might need to use the LTPA
    authentication mechanism instead of RSA tokens for security
    validation. To change your security validation settings, in
    the administrative console:
    
    - Click Global security > Administrative authentication", and
    unselect "RSA token".
    - Select "Only use the active application authentication
    mechanism".
    - Add the
    com.ibm.ws.security.rsa.forceSoftwareJCEProviderForRSA custom
    property to your security settings and set it to "true".
    
    When this property is set to "true", the default software JCE
    provider, instead of IBMJCECCA, is used for security
    validation.
    
    Default:    false
    
    APAR PM86382 is currently targeted for inclusion in WebSphere
    Application Server Fix Packs 7.0.0.31, 8.0.0.8, and 8.5.5.2
    of WebSphere Application Server.
    
    Please refer to URL:
    //www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
    for Fix Pack availability.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM86382

  • Reported component name

    WEBSPHERE FOR Z

  • Reported component ID

    5655I3500

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-04-04

  • Closed date

    2013-07-30

  • Last modified date

    2014-02-05

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE FOR Z

  • Fixed component ID

    5655I3500

Applicable component levels

  • R700 PSY UI13725

       UP14/01/11 P F401

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: WebSphere Application Server for z/OS
General

Software version: 7.0

Reference #: PM86382

Modified date: 05 February 2014