PK80478: Using custom LTPA tokens with JAX-WS WS-Security fails with the message CWWSS5371E

Fixes are available

PM06566; 6.1.0.29: The WS-Security runtime is experiencing processing problems w
PM13008; 6.1.0.31: JAX-WS WS-Security does not allow a trust store to reload

APAR status

Closed as program error.

Error description

Custom tokens don't currently work with JAX-WS WS-Security.

When trying to generate or consume a custom Security token from
JAX-WS there are several SoapSecurityException errors
that occur. For example:

Exception = com.ibm.wsspi.wssecurity.core.SoapSecurityException
Source =
com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler.invoke
probeid = %C
Stack Dump =
com.ibm.wsspi.wssecurity.core.SoapSecurityException:
CWWSS5371E: The token consumer/generator configuration has a
null class
instance. The current token consumer/generator configuration
string
representation is
com.ibm.ws.wssecurity.confimpl.PrivateConsumerConfig$TokenConsum
erConfIm
pl(className=[es.itecban.security.ItecbanConsumer],
type=[{http://www.cm.es}TokenCas],
jaasConfig=[application.itecban.ItecbanToken],
jaasConfigProperties=[{}],
callbackHandler=[com.ibm.ws.wssecurity.confimpl.PrivateCommonCon
fig$Call
backHandlerConfImpl(className=[es.itecban.security.ItecbanHandle
r],
keyStore=[null], keyInformation=[null],
trustAnyCertificate=[false],
provider=[null], pkixBuilderParams=[null], userId=[null],
userPassword=[XXXXXXXX], properties=[{}])],
usedForVerification=[false],
usedForDecryption=[false],
properties=[{com.ibm.wsspi.wssecurity.core.NonceClockSkew=0,
com.ibm.wsspi.wssecurity.core.NonceMaxAge=300000}]).
 at
com.ibm.wsspi.wssecurity.core.SoapSecurityException.format(SoapS
ecurityE
xception.java:77)
 at
com.ibm.ws.wssecurity.confimpl.PrivateConsumerConfig$TokenConsum
erConfIm
pl.validate(PrivateConsumerConfig.java:1384)
 at
com.ibm.ws.wssecurity.confimpl.PrivateConsumerConfig.validate(Pr
ivateCon
sumerConfig.java:876)
 at
com.ibm.ws.wssecurity.handler.PolicyInboundConfig.init(PolicyInb
oundConf
ig.java:2556)
 at
com.ibm.ws.wssecurity.handler.PolicyInboundConfig.<init>(PolicyI
nboundCo
nfig.java:223)
 at
com.ibm.ws.wssecurity.handler.WSSecurityBindingLoaderImpl.loadCu
stom(WSS
ecurityBindingLoaderImpl.java:369)

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  WebSphere Application Server Feature        *
*                  Pack for Web Services users of              *
*                  WS-Security enabled JAX-WS applications     *
*                  that want to use custom tokens              *
****************************************************************
* PROBLEM DESCRIPTION: If WS-Security for a JAX-WS             *
*                      application is configured to use a      *
*                      custom token, the token won't be        *
*                      emitted                                 *
****************************************************************
* RECOMMENDATION:  Apply a fix pack that contains this APAR    *
****************************************************************
If WS-Security for a JAX-WS application is configured to use a
custom token for any operation, the token won't be emitted or
consumed.  If a custom token generator or consumer is invoked,
a java.lang.NoClassDefFoundError error similar to the following
will occur:

Exception: javax.xml.ws.WebServiceException:
java.security.PrivilegedActionException:
com.ibm.wsspi.wssecurity.core.SoapSecurityException:
security.wssecurity.WSSContextImpl.s02:
com.ibm.websphere.security.WSSecurityException: Exception
org.apache.axis2.AxisFault: CWWSS6521E: The Login failed
because of an exception:
javax.security.auth.login.LoginException:
java.lang.NoClassDefFoundError:
com.ibm.wsspi.wssecurity.wssapi.OMStructure at
java.lang.ClassLoader.defineClassImpl(Native Method) at
...

Problem conclusion

The WS-Security code for JAX-WS applications was updated to
allow custom tokens to be emitted or consumed as configured.

Custom token generators and consumers that were built for use
with WS-Security for JAX-RPC applications cannot be used with
WS-Security for JAX-WS applications.

This problem is fixed in WebSphere Application Server v7 by
PK92003.

The fix for this APAR is currently targeted for inclusion in
fixpack 6.1.0.29.  Please refer to the Recommended Updates
page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PK80478
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
610
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-02-11
Closed date
2009-06-30
Last modified date
2009-09-30

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

PK92003

Fix information

Fixed component name
WEBSERVIC FEATU
Fixed component ID
5724J0850

Applicable component levels

R610 PSY
UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
25 October 2021

Tips

PK80478: Using custom LTPA tokens with JAX-WS WS-Security fails with the message CWWSS5371E

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R610 PSY

Document Information

Share your feedback

Need support?