IBM Support

IC82397: SSL CLIENT CACHING MAY USE WRONG CREDENTIALS WHEN MULTIPLE SSL PROXY PROFILES, WITH THE SAME IP & PORT, ARE USED BY AN XMLMGR

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as fixed if next.

Error description

  • An XML Manager using multiple SSL Proxy Profiles for connections
    to the same IP address and port number, may result in SSL
    connections presenting the wrong certificate if 'Client-side
    Session Caching' is enabled.
    The connections may fail or cause other errors because each
    XML manager maintains the SSL session cache based on the IP
    address and port of the SSL connections.  Therefore,
    services using the same XML manager could use the wrong SSL
    credentials (certificates) when sending data to the same IP
    address and port.
    

Local fix

  • One of the following options can be used to avoid this issue:
    1) Disable 'Client-side Session Caching' in the SSL Proxy
    Profile
    2) Assign a unique IP/port pair on the backend server for
    each SSL Proxy Profile.
    3) Use a distinct XML manager for each SSL PRoxy Profile by
    creating 'chained' servicing.  This would mean adding a service
    (e.g., XML Firewall) behind the current 'client-facing' service.
    The XMLFW would then use a single SSL Proxy Profile and its own
    unique XML manager to forward the request to the backend server.
    

Problem summary

  • DataPower customers using multiple SSL Proxy Profiles with
    mutual authentication to connect to a single IP/Port pair may
    experience issues when Client-side Session Caching is enabled.
    

Problem conclusion

  • This will be fixed in a future major release.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC82397

  • Reported component name

    DATAPOWER

  • Reported component ID

    DP1234567

  • Reported release

    382

  • Status

    CLOSED FIN

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-03-30

  • Closed date

    2012-04-06

  • Last modified date

    2012-07-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

  • R500 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.8.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
11 February 2022