IBM Support

PI38151: THROW EXCEPTION IF RECEIVE UNSUPPORTED KEYINFO IN SAML

Fixes are available

7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Although the main wssecurity runtime supports many KeyInfo
    types in a signature, the SAML runtime only supports a subset.
    A usable exception should be thrown whan a KeyInfo is received
    that is not supported.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server            *
    *                  administrators of WS-Security enabled web   *
    *                  services applications and SAML              *
    ****************************************************************
    * PROBLEM DESCRIPTION: A usable error should be emitted when   *
    *                      a KeyInfo that is not valid is in a     *
    *                      SAML assertion                          *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    The SAML runtime processes SAML assertions for both
    WS-Security and SAML Web Single Sign-On (SSO).  When the SAML
    runtime encounters a KeyInfo in the assertion that it cannot
    process, a message similar to the following may be emitted.
    [7/29/15 14:18:23:629 CDT] 00000020 WebAuthentica E
    SECJ0126E: Trust Association failed during validation. The
    exception is
    com.ibm.websphere.security.WebTrustAssociationFailedException:
    com.ibm.wsspi.wssecurity.core.SoapSecurityException:
    security.wssecurity.WSEC7074E
    This error is not helpful for determining the cause of the
    failure.  More information is required.
    

Problem conclusion

  • The SAML runtime is updated to issue more useful errors when
    it cannot process a KeyInfo element.  The new messages will
    follow the CWSSS7074E message that is now properly evaluated
    from security.wssecurity.WSEC7074E.
    
    CWWSS7074E: The key is not retrieved. The exception is:
    com.ibm.wsspi.wssecurity.core.SoapSecurityException:
    
    CWSML7025E: The [{0}] sub-element of the KeyInfo element in
    the Security Assertion Markup Language (SAML) assertion is not
    supported.  The supported elements are [X509Data, KeyName,
    KeyValue].
    
    CWSML7026E: The [{0}] sub-element of the X509Data element in
    the Security Assertion Markup Language (SAML) assertion is not
    supported.  The supported elements are [X509Certificate,
    X509IssuerSerial, X509SubjectName, X509SKI].
    
    CWSML7027E: The SecurityTokenReference element in the KeyInfo
    element in the Security Assertion Markup Language (SAML)
    assertion contains a sub-element that is not supported: [{0}].
     The supported sub-elements are [X509Data, KeyName, KeyValue].
    
    CWSML7028E: The evaluated value for the KeyInfo element in the
    Security Assertion Markup Language (SAML) assertion does not
    match the key defined in the SAML the configuration: [{0}].
    
    CWSML7029E: An X.509 certificate was not obtained from the
    KeyInfo element in the Security Assertion Markup Language
    (SAML) assertion, so trust cannot be evaluated.  Either use a
    KeyInfo method that yields a usable X.509 certificate or turn
    off trust validation.  The supported methods are [X509Data,
    KeyName].
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 7.0.0.39, 8.0.0.12, and 8.5.5.8.  Please refer to
    the Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    
    Keywords: IBMWL3WSS, WSSEC, SAMLWSSO, SAMLWSSEC
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI38151

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-04-01

  • Closed date

    2015-08-17

  • Last modified date

    2015-09-24

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 April 2022