Password to the plugin-key.kdb file expires on April 26, 2012 US EDT

Flash (Alert)


Abstract

The password to the plugin-key.kdb file that is shipped with WebSphere Application Server expires on April 26, 2012 US EDT. On distributed this file is placed in the [Plugin_Home]/config/{webservername} directory when a web server plug-in is configured on an installed web server.

Content

CVE-2012-2162
If you are using the WebSphere Key and Certificate Management generated plug-in key store you are NOT affected. If, however, you are using the key store installed by default with the Web Server Plug-in for WebSphere Application Server and you have NEVER changed the key store's password, then you must change the plug-in key store's password, which removes the pending password expiration, to avoid a security exposure. Generally, as a best practice, IBM recommends you always change passwords from the default value to enhance the security of your system.

In reference to this specific security exposure concern, a majority of users do not reference the affected file at runtime and therefore are not impacted. However, a small minority of users must take action and use certificate management tools to remove the password expiration prior to April 26, 2012 to avoid experiencing this issue.

AM I IMPACTED?
You will need to read through the solution sections of this flash to come to that determination.










Versions affected:
All versions of WebSphere Application Server for Distributed, IBM i, and z/OS operating systems (e.g., Version 8.0 and earlier) have the potential to be affected.
Note: Versions 6.0 and earlier are no longer in service. The purchase of a support extension might be required, if additional assistance is needed, unless you are otherwise entitled to support.








Problem Description:

CVSS:
The following is the description of the mode of failure which will occur after the plug-in's key store password expiration date, however it ONLY applies to users with affected web servers who have NOT taken the prescribed action.

The WebSphere Application Server web server plug-in (web server plug-in) comes with a plugin-key.kdb file upon installation. The default password of WebAS is set to expire by April 26, 2012 US EDT.
After the password expiration date passes, the next time the web server running the web server plug-in is restarted, or the next time the plugin-cfg.xml is modified, the HTTPS (SSL) connectivity between the web server plug-in and the WebSphere Application Server might fail or revert to a non-SSL function and will not be encrypted.

This has no affect on the connection between the client (browser) and the web server that do not use the plugin-key.kdb for their certificate exchange. Only connections between the web server plug-in and the WebSphere Application Server will have the problem. For systems that use this file for their web server security, corrective action will need to taken as outlined in this Flash.

In some less common configurations, in which HTTP transports have been explicitly disabled, blocked, or removed, the web server plug-in will fail to forward the incoming requests returning an immediate error (HTTP 500 -- Internal Server Error).







Distributed (AIX, HP, Solaris, Linux, Windows):

This section describes how to correct the expiring password problem. Prior to taking any steps, you should back up all plugin-key.* files. Make a note of the Owner and Permissions of these files as you may need to adjust the resulting fixed files depending on the ID used.

Kdb's can be found at either the [Plugin_home]/etc or [Plugin_home]/config/{webservername} directory. It's important to update the [Plugin_home]/etc version as this is the one copied during the configuration process of the plugin to a web server.

For IBM HTTP Sever Versions 7.0 and 8.0, to determine if the password being used on your system expires on April 26, 2012, launch the HTTP Server iKeyman, and load the plugin-key.kdb file from one of the locations mentioned above.

From the "Key Database File" menu, select "Display Password Expiry".



The resulting pop-up will state that the password never expires, or will specify the specific date on which the password expires.



If the password expires on April 26, 2012, select "Change Password" from the "Key Database File" menu. In the Password Prompt pop-up, specify the same password or a new password, and select Expiration time if you want the password to expire after a specific number of days. If you do not select Expiration time, the password never expires.

You MUST also select "Stash password to a file" before you click OK. This setting is critical for the plug-in binary to be able to use the kdb file.



=========================================================
For IBM HTTP Server Versions 6.0 or 6.1, issue the gsk7capicmd command to determine if the password being used on your system expires on April 26, 2012. This command is located in your [gsk_root]/bin directory.

gsk7capicmd -keydb -expiry -db "C:\temp\plugin-key.kdb" -pw WebAS

The resulting output indicates the expiration date for the password: For example, the following output indicates that the password expires on April 26, 2012 at 11:20:31 AM EDT:

Validity: Thursday, 26 April 2012 11:20:31 AM Eastern Daylight Time

Issue a gsk7 command, similar to the following command, to change the password that is expiring:

gsk7capicmd -keydb -changepw -pw xxxx -new_pw yyyy -stash -db plugin
-key.kdb

If you want to the new password to expire after a specific number of days, add -expire to the gsk7capicmd command line and specify the number of days for which you want the new password to be valid.

Note 1: -expiry and -expire have been supported since 7.0.3.27 on all platforms.

-expiry will show an error if it is used where not supported (example 203 error ) but -expire will
be ignored with no error reported. This may make it appear to be supported when it is not. To avoid any issues, you should verify your version and upgrade if necessary to the latest Gskit 7.0.4.x version


Note 2: Leaving the -expire param off when using Gskit 7.0.4 will result in a password that never expires.

Note 3: Gskit Versions 7.0.3.9 and earlier do not recognize the -new_pw parameter. Instead, you will be prompted for the new password and then asked to confirm the new password.

Note 4: Some customer using Windows get the following prompt when attempting the gsk7capicmd command.

The solution is to locate this file within your gskit home and update your Environment Variables Path to have the location to this dll. You can also temporarily set the additional path information within an instance of the command prompt, prior to issuing any gsk7capicmd, by executing a command like this.

SET PATH=%PATH%;C:\[ your_Gskit_Home]\BIN;C:\[ your_Gskit_Home]\LIB






z/OS:

Prior to taking any steps, you should back up all plugin-key.* files. Make a note of the Owner and Permissions of these files as you may need to adjust the resulting fixed files depending on the ID used.

To use this utility to display the expiration date, issue a command similar to the following command:
gskkyman -dk -k plugin-key.kdb

To fix the expiration date, you must complete the following steps, which includes changing the password:
  1. Navigate to the location of the plugin-key.kdb file.
  2. Enter gskkyman.
  3. From the menu provided, choose option "3 - Change database password".
  4. Prompt: "Enter key database name (press ENTER to return to menu):" (Enter plugin-key.kdb).
  5. Prompt: "Enter database password (press ENTER to return to menu):" (Enter WebAS).
  6. Prompt: "Enter new database password (press ENTER to return to menu):" (Enter your new password).
  7. Prompt: "Re-enter database password:" (Re-enter the password).
  8. Prompt: "Enter password expiration in days (press ENTER for no expiration):" (decide if you want this password to expire).

After the password is set, use the following command to stash the new password to a file for the plugin to utilize the updated kdb file.

gskkyman -s -k plugin-key.kdb







IBM i:

Use of an IBM i user profile with *ALLOBJ and *SECADM special authorities is required for the steps below.

For IBM i, how do I determine whether my HTTP servers are configured to use the plugin-key.kdb file with the expiring password?

- For IBM i, HTTP servers configured with versions 5.0, 5.1 or 6.0 of the Application Server may be affected.

- HTTP servers configured with WebSphere Application Server V6.1 and later may also be affected, but ONLY if WebSphere Application Server Plugins product option is installed. Use GO LICPGM, option 10 to check for product option 7 of 5733W61, 5733W70, or 5733W80.

If one or more of these products are installed then follow the steps below to determine whether your HTTP servers are affected.
  1. On your IBM i that hosts the HTTP servers, use the "IBM Web Administration for i" to display the configuration file for each HTTP server.
  2. Look for a WebSpherePluginConfig directive in the HTTP server configuration file. For example:

    WebSpherePluginConfig /QIBM/UserData/WebSphere/AppServer/V6/ND/profiles/profile1/config/cells/my_cell/nodes/my_managednode/servers/webserver1/plugin-cfg.xml

    If you do not see a WebSpherePluginConfig directive in the HTTP server configuration file, then this HTTP server is not affected and you should return to step 1 to check any remaining HTTP servers. Otherwise, continue with the next step.

  3. Open the <path>/plugin-cfg.xml file and look for https transports. If you see one with :
    Protocol=”https” then the following line will show you what keyfile you are currently using. For example:

    <Transport Hostname="MYHOST.IBM.COM" Port="10002" Protocol="https">
    <Property Name="keyring" Value="/QIBM/UserData/WebSphere/AppServer/V6/ND/profiles /httpsvr/etc/plugin-key.kdb"/>
    <Property Name="stashfile" Value="/QIBM/UserData/WebSphere/AppServer/V6/ND/ profiles/httpsvr/etc/plugin-key.sth"/>
    </Transport>

    This HTTP server is not affected if the keyfile name is not "plugin-key.kdb". If this HTTP server is not affected, then return to step 1 to check any remaining HTTP servers. Otherwise, continue with the next step.

    NOTE: In most cases the plugin-key.sth file will not exist in the file system as noted in the example above. IBM i, has a unique method to stash passwords for certificate stores. When the plugin is initially configured for SSL the .sth file will exist. On initial startup, the APIs used on IBM i will cache the password and then delete the .sth file. On subsequent startups the password is found in the IBM i password cache.

  4. Check to see if the referenced plugin-key.kdb file exists in IFS. If the plugin-key.kdb file does not exist, then the https transport is not operational and this HTTP server is not affected by the expiring password problem. If the HTTP server is not affected, then return to step 1 to check any remaining HTTP servers. Otherwise, continue with the next step.

    Note: The web server plug-in automatically uses the http transport when the https transport is not operational.
  5. The HTTP server is probably affected if configured to use Application Server V6.0 or earlier and might be affected if configured to use a later version of the Application Server. In the left hand navigation panel of the same “Web Administration for i” page that you used to display the HTTP configuration file, click “WebSphere Application Server” and observe the version of the Application Server that the HTTP server is configured to use.
    Record the name of the HTTP server, the value of the keyring property (the full path name for the plugin-key.kdb file) and the version of the Application Server that is used, then return to step 1 to check any remaining HTTP servers. Once you've checked all HTTP servers, continue with " For IBM i, how do I prevent the expiring password from affecting HTTP servers that are configured to use the plugin-key.kdb file?"


For IBM i, how do I prevent the expiring password from affecting HTTP servers that are configured to use the plugin-key.kdb file?

Note: It would be rare for a web server plug-in configuration to use the shipped keystore file after Application Server V6.0 on IBM i. With Application Server 6.1 and later, a default plugin-key.kdb files is created with each new web server configuration. However, for Application Server 6.1 and later, the recommendation is to either check the password expiration dates using iKeyman (see below for information about obtaining iKeyman) or change the passwords on all of the plugin-key.kdb files that can be opened using the default password (WebAS) as described next.

For each HTTP server that is configured with a keyring file named "plugin-key.kdb", use the Digital Certificate Manager (DCM) to change the password when needed as described below:
If you are running on IBM i 5.4, complete the following steps:
  1. Start the HTTP Admin server if it is not already running:
    STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
  2. In the browser, enter the following:
    machine:2001 (enter credentials)
  3. Click Digital Certificate Manager.
  4. Click Select a certificate store.
  5. Select Other system certificate store, and then click Continue.
  6. Enter the path to the plugin-key.kdb file in the Certificate store path and file name: field.
  7. Enter "WebAS" in the Certificate store password: field and click Continue.
  8. If DCM successfully opened the plugin-key.kdb file, then your web server is affected by the problem described in this flash and you must continue to the next step. Otherwise, this HTTP server is not affected.
  9. On the left hand panel, click to open Manage Certificate Store and then click Change password.
  10. Enter the new password, confirm the new password, and then take the default options:
    - Automatic login
    - Password does not expire
  11. Click Continue. The operation is successful if you see the message "Certificate store password has been changed."

    If you are running on IBM i 6.1 or i 7.1, complete the following steps:
  1. Start the HTTP Admin server if it is not already running:
    STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
  2. In the browser, enter the following:
    machine:2001 (enter credentials)
  3. Expand IBM i management and click Internet Configurations.
  4. Click Digital Certificate Manager.
  5. Click Select a certificate store.
  6. Select Other System Certificate Store, and then click Continue.
  7. Enter the path to the plugin-key.kdb file in the Certificate store path and file name: field.
  8. Enter "WebAS" in the Certificate store password: field and click Continue.
  9. If DCM successfully opened the plugin-key.kdb file, then your web server is affected by the problem described in this flash and you must continue to the next step. Otherwise, this HTTP server is not affected.
  10. On the left hand panel, click to open Manage Certificate Store and then click Change password.
  11. Enter the new password, confirm the new password, and then take the default options:
    - Automatic login
    - Password does not expire
  12. Click Continue. The operation is successful if you see the message "Certificate store password has been changed."


For Application Server V6.1 and later, after changing the password with DCM, you must also change the password of the CMSKeyStore in the associated web server definition. Otherwise, when the key store is copied from the web server definition to the plug-in location, the password cached via DCM won’t match the password of the updated copy of the keyring file. As a result, the https transport will not be operational and the HTTP server may fail to start.
Use the WebSphere Integrated Solutions Console to change the password of the CMSKeyStore. For example, if the web server definition name is MY_WEB_SERVER:
    1. Navigate to the Manage endpoint security configurations panel via Security > SSL certificate and key management > Manage endpoint security configurations
    2. In the topology tree for Inbound configurations, navigate to MY_WEB_SERVER and then click on MY_WEB_SERVER.
    3. Click Key stores and certificates
    4. For Application Server 6.1, click the CMSKeyStore name. For Application Server 7.0 and later, select the CMSKeyStore row and then click the Change password button.
    5. Enter the new password in the Change password and Confirm password fields
    6. Click OK

For IBM i, how do I ensure new web server plug-in configurations will not be affected by the expiring/expired password problem in the future?

For IBM i, new web server plug-in configurations can only be affected if WebSphere Application Server (V5.0, V5.1, V6.0) or WebSphere Application Server Plugins (V6.1 or later) is installed. If one or more of these products is installed then follow the steps below to ensure new web server plug-in configurations will not be affected.

In the following section, a tool called iKeyman is used. The tool is included in the "IBM i Access for Windows" product which must be installed on your Windows workstation. Note that the iKeyman tool included in "IBM i Access for Windows" prior to V7R1 does not provide password expiration checking. However, you don't need password expiration checking to complete the steps below.

Also, since the iKeyman tool resides on your Windows workstation, you'll need to map a drive to access the plugin-key files described in the following steps or copy them to and from your workstation to operate on them. To launch the tool choose: Start -> Programs -> IBM i Access for Windows -> IBM Key Management
  1. Since the iKeyman tool resides on your Windows workstation, map a drive to access the plugin-key files in the folders referenced below (recommended method) or copy all of them to your workstation. Prior to taking any steps, you should back up all plugin-key.* files before operating on them. Make a note of the Owner and Permissions of these files as you may need to restore these attributes after modifying the files.

  2. Determine if you have both a plugin-key.kdb and a plugin-key.sth file in plugin_install_root>/etc
    (i.e. /QIBM/ProdData/WebSphere/Plugins/<version>/webserver/etc) or in
    <was_install_root>/etc (i.e. /QIBM/ProdData/WebSphere/AppServer/V6/<edition>/etc). If you do not have a plugin-key.sth file then skip this step for that directory. If you do have both files, use iKeyman to change the password to a temporary value and then back to WebAS (see the example for Distributed Operating Systems, above).
    1. Do not select the Expiration time check box
    2. Do select the Stash password to a file check box
    3. If you did not map a drive, copy all of the plugin-key files back to the <was_install_root>/etc folder or the <plugin_install_root>/etc folder and use the "chown" and "chmod" commands from QShell to change the owner and file permissions back to their original values after copying them back to IBM i.

  3. Repeat the above steps for all Application Server profiles (or instances for V5.0 and V5.1). For Application Server V6.0, the plugin-key files will be in folder /QIBM/UserData/WebSphere/AppServer/V6/<edition>/profiles/<profile_name>/etc.








FAQs:
  • Question: What happens if I do nothing?
  • Answer: You might not notice anything on April 26, 2012, but after the web server is restarted or it loads a new copy of the plugin-cfg.xml due to propagation, the web server plug-in will fail to initialize the HTTPS transports. The plug-in will rely on HTTP (non-ssl) transports to communicate to the WebSphere Application Server, and the plug-in log will contain error messages similar to the following messages:

    ERROR: lib_security: initializeSecurity: Failed to initialize GSK environment
    ERROR: ws_transport: transportInitializeSecurity: Failed to initialize security

  • Question: Can I use the same password?
  • Answer: You can not supply the existing password and tell it to change it to that same one. You must specify a new password.

  • Question: Once I change the password, what's next?
  • Answer: You should restart your web server to force it to reload the plugin-key.kdb file.

  • Question: What does it mean when I see "Validity: 0" upon issuing the gsk7capicmd to view my expiry value?
  • Answer: That indicates that the password will never expire.

  • Question: What if I find the password problem within my plug-in from WebSphere Application Server Version 4.0.x?
  • Answer: The plug-in from WebSphere Application Server Version 4.0 used Gskit Version 5. You can use the gsk5ikm GUI to change the password or use the gsk5cmd to alter the password. If it's more convenient, you can backup and copy the kdb file to a Gskit 7.0.4 environment and use the tools there to change the password.





Change History
3/23/2012 Flash published
4/13/2012 FAQ's added
4/16/2012 Added information to alert customers that only HTTP transports will be used if SSL stops working. Added additional content for z/OS and iSeries within FAQ.
4/18/2012 Add additional FAQ information and Note 5 concerning Windows problem.
4/20/2012 Moved IBM i and z/OS answers from FAQ section.
4/23/2012 Added a Note under step 3 for IBM i
4/24/2012 Updated IBM i information.




Related information

Plugin Personal Cert will expire on April 26 2012

Cross reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server for z/OS z/OS 8.0, 7.0, 6.1, 6.0, 5.1
Application Servers IBM HTTP Server Not Applicable AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS 8.0, 7.0, 6.1, 6.0

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Application Server
Plug-in

Software version:

6.0, 6.1, 7.0, 8.0

Operating system(s):

AIX, HP-UX, IBM i, Linux, Solaris, Windows, i5/OS, z/OS

Reference #:

1588312

Modified date:

2012-04-24

Translate my page

Machine Translation

Content navigation