IBM Support

PK61258: WEB SERVICES SECURITY ISN'T HONORING CRLS IN CERT STORE COLLECTIONS

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Web services security is not honoring Certificate Revocation
    Lists (CRL) validation configured in Certificate Store
    Collections.  X509 certificates in SOAP messages that are
    revoked in the CRL are not being rejected by the system.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  WebSphere Application Server administrators *
    *                  of ws-security enabled web services         *
    *                  applications using CRLs                     *
    ****************************************************************
    * PROBLEM DESCRIPTION: Web services security is not honoring   *
    *                      configured Certificate Revocation Lists *
    *                      (CRL).                                  *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Web services security is not honoring Certificate Revocation
    Lists (CRL) validation configured in Certificate Store
    Collections.  X509 certificates in SOAP messages that are
    revoked in the CRL are not being rejected by the system.
    
    Web services security processing was not calling
    setRevocationEnabled method on the PKIXBuilderParameters object
    when a Certificate Revocation List (CRL) was configured.
    Because of this, the Java security method used to validate the
    X509 certificate wasn't checking the revocation status of the
    certificate.
    

Problem conclusion

  • The web services security code was updated to call the
    setRevocationEnabled method on the PKIXBuilderParameters object
    when one or more Certificate Revocation Lists (CRL) are
    configured
    
    The fix for this APAR is currently targeted for inclusion in
    fixpack 6.0.2.31 and 6.1.0.19.  Please refer to the Recommended
    Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PK61258

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    61W

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2008-02-18

  • Closed date

    2008-05-07

  • Last modified date

    2008-05-07

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R60A PSY

       UP

  • R60H PSY

       UP

  • R60I PSY

       UP

  • R60P PSY

       UP

  • R60S PSY

       UP

  • R60W PSY

       UP

  • R60Z PSY

       UP

  • R61A PSY

       UP

  • R61H PSY

       UP

  • R61I PSY

       UP

  • R61P PSY

       UP

  • R61S PSY

       UP

  • R61W PSY

       UP

  • R61Z PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 6.1

Reference #: PK61258

Modified date: 07 May 2008