IC82397: SSL CLIENT CACHING MAY USE WRONG CREDENTIALS WHEN MULTIPLE SSL PROXY PROFILES, WITH THE SAME IP & PORT, ARE USED BY AN XMLMGR
Fixes are available
Closed as fixed if next.
An XML Manager using multiple SSL Proxy Profiles for connections to the same IP address and port number, may result in SSL connections presenting the wrong certificate if 'Client-side Session Caching' is enabled. The connections may fail or cause other errors because each XML manager maintains the SSL session cache based on the IP address and port of the SSL connections. Therefore, services using the same XML manager could use the wrong SSL credentials (certificates) when sending data to the same IP address and port.
One of the following options can be used to avoid this issue: 1) Disable 'Client-side Session Caching' in the SSL Proxy Profile 2) Assign a unique IP/port pair on the backend server for each SSL Proxy Profile. 3) Use a distinct XML manager for each SSL PRoxy Profile by creating 'chained' servicing. This would mean adding a service (e.g., XML Firewall) behind the current 'client-facing' service. The XMLFW would then use a single SSL Proxy Profile and its own unique XML manager to forward the request to the backend server.
DataPower customers using multiple SSL Proxy Profiles with mutual authentication to connect to a single IP/Port pair may experience issues when Client-side Session Caching is enabled.
This will be fixed in a future major release.
Reported component name
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Applicable component levels