IBM Support

PI95884: JAX-WS WS-SECURITY CANNOT USE SHA384 OR SHA512 DIGEST ALGORITHMS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • JAX-WS WS-Security needs to be updated to support the SHA384
    and SHA512 digest algorithms.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  WS-Security enabled JAX-WS web services     *
    ****************************************************************
    * PROBLEM DESCRIPTION: JAX-WS WS-Security cannot process       *
    *                      sha384 or sha512 digests                *
    ****************************************************************
    * RECOMMENDATION:  Install an fix pack that contains this      *
    *                  APAR.                                       *
    ****************************************************************
    The JAX-WS WS-Security runtime uses the digest algorithms
    that correspond to the algorithm suites that are configurable
    in the WS-Security policy.
    There are 16 algorithm suites available to use:
    https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com.
    ibm.websphere.nd.multiplatform.doc/ae/uwbs_wsspsal.html.
    Each of the suites use either the sha1 or sha256 digest
    algorithm.  It is not possible to configure an application to
    emit or consume a digest with the sha384 or sha512 algorithm.
    Since there are use cases that require either the sha384 or
    sha512 digest algorithm, a method should be added to configure
    the digest algorithm.
    

Problem conclusion

  • The JAX-WS WS-Security runtime is updated so that the Digest
    algorithm can be customized in the bindings to be different
    than what is set by the algorithm suite in the WS-Security
    policy.
    
    The following WS-Security custom property is added:
    com.ibm.ws.wssecurity.dsig.DigestAlgorithm
    
    The following values are available:
    
    sha1 for http://www.w3.org/2000/09/xmldsig#sha1
    sha256 for http://www.w3.org/2001/04/xmlenc#sha256
    sha384 for http://www.w3.org/2001/04/xmlenc#sha384
    sha512 for http://www.w3.org/2001/04/xmlenc#sha512
    
    You can configure the
    com.ibm.ws.wssecurity.dsig.DigestAlgorithm custom property
    from either the outbound signing information or inbound
    signing information.  To configure
    com.ibm.ws.wssecurity.dsig.DigestAlgorithm, complete the
    following steps in the admin console:
    
    * Click Services > Service clients or Service providers
    * Click the service_name > binding_name
    * Click WS-Security >  Authentication and protection
    * Under either Request message signature and encryption
    protection or Response message signature and encryption
    protection, click the signature_message_part_reference.
    * Add or update the com.ibm.ws.wssecurity.dsig.DigestAlgorithm
    custom property with one of the values shown above.
    * Click OK
    * Save
    
    You can specify either the short name of the digest algorithm,
    such as sha512, or the full name, such as
    http://www.w3.org/2001/04/xmlenc#sha512.
    However, if you use a full name, it still must be one of the
    four supported algorithms listed above.
    
    The com.ibm.ws.wssecurity.dsig.SignatureAlgorithm custom
    property is also updated so that it can also take the full
    name of its supported algorithms.
    
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.5.15 and 9.0.0.9.  Please refer to the Recommended
    Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI95884

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-03-28

  • Closed date

    2018-06-08

  • Last modified date

    2018-06-08

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels



Document information

More support for: WebSphere Application Server
General

Software version: 850

Reference #: PI95884

Modified date: 08 June 2018


Translate this page: