IBM Support

PM87246: SSL connection fails when encoded password is set as AdminClient property programatically.

Fixes are available

8.0.0.7: WebSphere Application Server V8.0 Fix Pack 7
8.5.5.1: WebSphere Application Server V8.5.5 Fix Pack 1
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
8.5.5.2: WebSphere Application Server V8.5.5 Fix Pack 2
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
8.5.5.3: WebSphere Application Server V8.5.5 Fix Pack 3
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.5.5.4: WebSphere Application Server V8.5.5 Fix Pack 4
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.5.5.5: WebSphere Application Server V8.5.5 Fix Pack 5
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • If a client has SSL keyStore and trustStore passwords in plain
    text, the SSL connection from the JMX client to server works
    fine. However, if they have the SSL keyStore and trustStore
    passwords in an encrypted format, then the same connection
    fails.
    
    Example of working case:
    p.setProperty("javax.net.ssl.trustStorePassword", "WebAS");
    p.setProperty("javax.net.ssl.keyStorePassword", "WebAS");
    
    Example of failing case:
    p.setProperty("javax.net.ssl.trustStorePassword",
    "{xor}CDo9xyz=");
    p.setProperty("javax.net.ssl.keyStorePassword",
    "{xor}CDo9xyz=");
    

Local fix

  • Specify passwords in plain text until the fix is available.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server AdminClient.                         *
    ****************************************************************
    * PROBLEM DESCRIPTION: SSL connection fails when encoded       *
    *                      password is set as AdminClient          *
    *                      property programatically.               *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    If a multi-threaded Java application makes a call to security
    enabled WebSphere Application Server using AdminClientFactory
    APIs, and AdminClient is created by passing encoded
    javax.net.ssl.keyStorePassword and
    javax.net.ssl.trustStorePassword properties, the SSL connction
    will fail. For example:
    p.setProperty("com.ibm.ssl.trustStorePassword",
    "{xor}CDo9Hgw=");
    p.setProperty("com.ibm.ssl.keyStorePassword", "{xor}CDo9Hgw=");
    When such properties are plain text, or encoded values are set
    in client.ssl.props, the SSL connection will succeed.
    

Problem conclusion

  • Code changes have been made to decode the values before setting
    appropriate system properties.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 7.0.0.31, 8.0.0.7, and 8.5.5.1.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM87246

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-04-17

  • Closed date

    2013-05-21

  • Last modified date

    2013-05-21

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PM87246

Modified date: 21 May 2013