Troubleshooting
Problem
This document contains information about and a link to the latest version of the WebSphere® Application Server OpenID Connect (OIDC) Trust Association Interceptor (TAI). If you are having any issues with your OIDC TAI, ensure that you are running the latest version of the TAI before you start to troubleshoot the problem.
Resolving The Problem
Component: Topic:
The latest version of the OIDC TAI can be found here:
PH60195: OIDC v1.5.3; IBM WebSphere Application Server is vulnerable to a denial of service due to jose4j (CVE-2023-51775 CVSS 7.5)
The latest version of the OIDC TAI is 1.5.3. Instructions for how to determine the version of your OIDC TAI are included later in this document.
The following WebSphere Application Server fix packs contain the latest version of the OIDC TAI:
| WebSphere Application Server Release | Earliest fix pack containing latest OIDC version |
| 8.5.5 | n/a |
| 9.0 | n/a |
WHAT IT IS:
The OIDC TAI implementation is encapsulated in a single JAR file and can be replaced in its entirety to update to the latest version of the code. The OIDC TAI code is updated frequently, so IBM support regularly publishes new versions of the OIDC TAI outside of the fix pack cycles.
That APAR interim fix link that is provided in this document includes the following information:
|
WHAT TO DO:
When you are not running the latest version of the OIDC TAI, you can do one of the following to update your OIDC TAI to the latest version:
|
OBTAINING THE OIDC TAI VERSION FROM YOUR JAR:
To determine the version of the OIDC TAI that you have, you can do the following in a command window:
| cd (was_home)/plugins java -cp ./com.ibm.ws.security.oidc.client.jar com.ibm.ws.security.oidc.util.Version com.ibm.ws.security.oidc.client.jar 1.0.5 |
- When the JAR was installed with an "OIDC VERSION" APAR (like the one that this document references), the version is displayed in numeric form, for example: 1.0.5.
- When the JAR was installed with an APAR interim fix, the version that is displayed is in APAR format, for example: PH12345.
- When the JAR file was installed with a fix pack, the version is displayed with fix pack information, for example: 8.5.5 cf091605.01. (This is translated as WebSphere version 8.5.5, build number cf091605.01, or 8.5.5.9)
If you get the following error when you run this command, then you are running an outdated version of the OIDC TAI and you must install the latest version:
| Exception in thread "main" java.lang.NoClassDefFoundError: com.ibm.ws.security.oidc.util.Version |
OBTAINING THE OIDC TAI VERSION FROM A TRACE:
To find the version of the OIDC TAI from a trace, search for getVersion:
| [11/04/21 11:39:54:156 CST] 00000001 RelyingParty < getVersion returns [1.5.2] Exit |
- If the version is 1.0, then you are running an outdated version of the OIDC TAI and you must install the latest version.
- See the previous OBTAINING THE TAI VERSION FROM YOUR JAR section for the various formats of the values that you might see from getVersion.
SUPPORTED FIX PACKS:
The OpenID Connect feature of WebSphere Application Server is supported starting in the following fix packs:
|
You cannot install the OIDC TAI feature on a fix pack that is earlier than one of these fix packs. If you want to use the OIDC TAI, you must upgrade to one of these fix packs or later, then install the latest OIDC TAI.
Note:
This document uses the term WebSphere traditional to refer to WebSphere Application Server v9.0 traditional, WebSphere Application Server v8.5 full profile, WebSphere Application Server v8.0 and earlier, WebSphere classic, traditional WebSphere, traditional WAS, and tWAS.
Was this topic helpful?
Document Information
Modified date:
25 April 2024
UID
swg21997883