PK03431: EXPIRED CERTIFICATES ARE NOT REJECTED

 Fixes are available

5.1.1.17: WebSphere Application Server V5.1.1 Cumulative Fix 17 for AIX
5.1.1.17: WebSphere Application Server V5.1.1 Cumulative Fix 17 for HP-UX
5.1.1.19: WebSphere Application Server V5.1.1 Cumulative Fix 19 for Linux
5.1.1.16: WebSphere Application Server V5.1.1 Cumulative Fix 16 for AIX
5.1.1.18: WebSphere Application Server V5.1.1 Cumulative Fix 18 for AIX
5.1.1.18: WebSphere Application Server V5.1.1 Cumulative Fix 18 for HP-UX
5.1.1.18: WebSphere Application Server V5.1.1 Cumulative Fix 18 for Solaris
5.1.1.18: WebSphere Application Server V5.1.1 Cumulative Fix 18 for Windows
5.1.1.18: WebSphere Application Server V5.1.1 Cumulative Fix 18 for Linux
5.1.1.17: WebSphere Application Server V5.1.1 Cumulative Fix 17 for Linux
5.1.1.17: WebSphere Application Server V5.1.1 Cumulative Fix 17 for Solaris
5.1.1.17: WebSphere Application Server V5.1.1 Cumulative Fix 17 for Windows
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for Solaris
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for Windows
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for Solaris
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for Windows
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for AIX
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for Linux
5.1.1.19: WebSphere Application Server V5.1.1 Cumulative Fix 19 for AIX
5.1.1.19: WebSphere Application Server V5.1.1 Cumulative Fix 19 for Windows
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for Solaris
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for Windows
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for Solaris
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for AIX
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for AIX
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for Linux
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for HP-UX
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for AIX
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for Windows
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for HP-UX
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for AIX
5.1.1.11: WebSphere Application Server V5.1.1 Cumulative Fix 11 for AIX
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for Linux
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for HP-UX
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for Linux
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for HP-UX
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for Linux
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for HP-UX
5.1.1.12: WebSphere Application Server V5.1.1 Cumulative Fix 12 for Windows
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for Solaris
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for Windows
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for AIX
5.1.1.11: WebSphere Application Server V5.1.1 Cumulative Fix 11 for Windows
5.1.1.16: WebSphere Application Server V5.1.1 Cumulative Fix 16 for Solaris
5.0.2.18: WebSphere Application Server 5.0.2 Cumulative Fix 18 for Solaris
5.1.1.11: WebSphere Application Server V5.1.1 Cumulative Fix 11 for Linux
5.0.2.18: WebSphere Application Server 5.0.2 Cumulative Fix 18 for Windows
5.0.2.18: WebSphere Application Server 5.0.2 Cumulative Fix 18 for HP-UX
5.0.2.18: WebSphere Application Server 5.0.2 Cumulative Fix 18 for AIX
5.1.1.16: WebSphere Application Server V5.1.1 Cumulative Fix 16 for Windows
5.1.1.14: WebSphere Application Server V5.1.1 Cumulative Fix 14 for Solaris
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for Windows
5.1.1.12: WebSphere Application Server V5.1.1 Cumulative Fix 12 for AIX
5.1.1.12: WebSphere Application Server V5.1.1 Cumulative Fix 12 for Linux
5.1.1.12: WebSphere Application Server V5.1.1 Cumulative Fix 12 for HP-UX
5.1.1.12: WebSphere Application Server V5.1.1 Cumulative Fix 12 for Solaris
5.1.1.11: WebSphere Application Server V5.1.1 Cumulative Fix 11 for Solaris
5.1.1.13: WebSphere Application Server V5.1.1 Cumulative Fix 13 for AIX
5.1.1.13: WebSphere Application Server V5.1.1 Cumulative Fix 13 for Windows
5.0.2.13: WebSphere Application Server 5.0.2 Cumulative Fix 13
5.1.1.13: WebSphere Application Server V5.1.1 Cumulative Fix 13 for HP-UX
5.1.1.15: WebSphere Application Server V5.1.1 Cumulative Fix 15 for Solaris
5.1.1.13: WebSphere Application Server V5.1.1 Cumulative Fix 13 for Solaris
5.1.1.13: WebSphere Application Server V5.1.1 Cumulative Fix 13 for Linux
5.1.1.14: WebSphere Application Server V5.1.1 Cumulative Fix 14 for AIX
5.1.1.14: WebSphere Application Server V5.1.1 Cumulative Fix 14 for Linux
5.1.1.14: WebSphere Application Server V5.1.1 Cumulative Fix 14 for Windows
5.1.1.15: WebSphere Application Server V5.1.1 Cumulative Fix 15 for Windows
5.0.2.18: WebSphere Application Server 5.0.2 Cumulative Fix 18 for Linux
5.1.1.11: WebSphere Application Server V5.1.1 Cumulative Fix 11 for HP-UX
5.1.1.14: WebSphere Application Server V5.1.1 Cumulative Fix 14 for HP-UX
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for HP-UX
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for Linux
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for Solaris
5.1.1.15: WebSphere Application Server V5.1.1 Cumulative Fix 15 for AIX
5.1.1.15: WebSphere Application Server V5.1.1 Cumulative Fix 15 for HP-UX
5.1.1.16: WebSphere Application Server V5.1.1 Cumulative Fix 16 for HP-UX
5.1.1.16: WebSphere Application Server V5.1.1 Cumulative Fix 16 for Linux
5.1.1.15: WebSphere Application Server V5.1.1 Cumulative Fix 15 for Linux
5.1.1.19: WebSphere Application Server V5.1.1 Cumulative Fix 19 for HP-UX



APAR status
Closed as program error.

Error description
Hi, the situation briefly: we have WAS 5.0.2 and we are using
the dummy
IBM key files both in the client side:

com.ibm.ssl.protocol=SSL
com.ibm.ssl.keyStoreType=JKS
com.ibm.ssl.keyStore=/opt/WebSphere/AppServer/etc/DummyClientKey
File.jks

com.ibm.ssl.keyStorePassword={xor}CDo9Hgw\=
com.ibm.ssl.trustStoreType=JKS
com.ibm.ssl.trustStore=/opt/WebSphere/AppServer/etc/DummyClientT
rustFile
.jks
com.ibm.ssl.trustStorePassword={xor}CDo9Hgw\=

  and in the server side:

  <repertoire xmi:id="SSLConfig_1"
alias="CLM/DefaultSSLSettings">
<setting xmi:id="SecureSocketLayer_1"
keyFileName="${USER_INSTALL_ROOT}/etc/DummyServerKeyFile.jks"
keyFilePassword="{xor}CDo9Hgw=" keyFileFormat="JKS"
trustFileName="${USER_INSTALL_ROOT}/etc/DummyServerTrustFile.jks
"
trustFilePassword="{xor}CDo9Hgw=" trustFileFormat="JKS"
clientAuthentication="false" securityLevel="HIGH"
enableCryptoHardwareSupport="false">
<cryptoHardware xmi:id="CryptoHardwareToken_1" tokenType=""
libraryFile="" password="{xor}"/>
<properties xmi:id="Property_4" name="com.ibm.ssl.protocol"
value="SSLv3"/>
<properties xmi:id="Property_5"
name="com.ibm.ssl.contextProvider"
value="IBMJSSE"/>
    </setting>
  </repertoire>

  and the SSL config has been enabled:

xmlns:orb.securityprotocol="http://www.ibm.com/websphere/appserv
er/schem
as/5.0/orb.securityprotocol.xmi"
xmlns:security="http://www.ibm.com/websphere/appserver/schemas/5
.0/secur
ity.xmi"
ity.xmi" xmi:id="Security_1" useLocalSecurityServer="true"
useDomainQualifiedUserNames="false" enabled="true"
cacheTimeout="600"
issuePermissionWarning="true" activeProtocol="BOTH"
enforceJava2Security="false"
activeAuthMechanism="SWAMAuthentication_1"
activeUserRegistry="LDAPUserRegistry_1"
defaultSSLSettings="SSLConfig_1">


Now the ACert tool says about the
/opt/WebSphere/AppServer/etc/DummyClientKeyFile.jks the
following:

examining: /opt/WebSphere/AppServer
found 1 SSL configurations


processing SSL configuration: CLM/DefaultSSLSettings
SSL Key File for CLM/DefaultSSLSettings:
${USER_INSTALL_ROOT}/etc/DummyClientKeyFile.jks
corrected SSL Key File:
/opt/WebSphere/AppServer/etc/DummyClientKeyFile.jks
Certificate for SSLConfig: CLM/DefaultSSLSettings, key file:
/opt/WebSphere/AppServer/etc/DummyClientKeyFile.jks, alias:
websphere
dummy client expires on: Thu Mar 17 22:05:45 EET 2005


and about the ${USER_INSTALL_ROOT}/etc/DummyServerKeyFile.jks
the
following:

   examining: /opt/WebSphere/AppServer
found 1 SSL configurations


processing SSL configuration: CLM/DefaultSSLSettings
SSL Key File for CLM/DefaultSSLSettings:
${USER_INSTALL_ROOT}/etc/DummyServerKeyFile.jks
corrected SSL Key File:
/opt/WebSphere/AppServer/etc/DummyServerKeyFile.jks
Certificate for SSLConfig: CLM/DefaultSSLSettings, key file:
/opt/WebSphere/AppServer/etc/DummyServerKeyFile.jks, alias:
websphere
dummy server expires on: Thu Mar 17 22:08:18 EET 2005


i.e., we are using the dummy key files. Now, the time in the
test
machine has been set to the future:

  root@CLM(R_FSPR2_0.14):~# date
Tue Aug 26 19:15:36 EEST 2025

but still we can start the server (although it throws some
exceptions
during the startup), run successfully a client contacting the
server;
however, the server cannot be shut down. I have sent as e-mail
the
SystemOut.log and the trace.log; they contain the server
start-up, the
running of the test client and a shutdown attempt. I have also
attached
the security.xml file.
Local fix
updated ibmjsse.jar has been provided as testfix and resolves
the issue. Official fix required.
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users who       *
*                 have enabled Global Security or are using    *
*                 the JSSE API.                                *
****************************************************************
* PROBLEM DESCRIPTION: Expired certificates are not rejected   *
*                      as well as possible excessive memory    *
*                      usage.                                  *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Expired certificate are not rejected.  Also in some cases
excessive memory usage may be seen.  A heap analysis shows the
memory using in classes in the com.ibm.ssllite package.
Problem conclusion
The problem is corrected since JSSE build on 20040924.

The fix for this APAR is currently targeted for inclusion in
fixpack 5.0.2.13. Please refer to the Recommended
Updates page for delivery dates:

http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP
&uid=swg27004980
Temporary fix
Test fix provided
Comments
APAR information
APAR number PK03431
Reported component name WAS BASE 5.0
Reported component ID 5630A3600
Reported release 00I
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2005-03-31
Closed date 2005-08-09
Last modified date 2005-08-29

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
SECURITY          

Publications Referenced

Fix information
Fixed component name WAS BASE 5.0
Fixed component ID 5630A3600

Applicable component levels
R00A PSY    UP
R00H PSY    UP
R00I PSY    UP
R00P PSY    UP
R00S PSY    UP
R00W PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 00I
Software edition:
Reference #: PK03431
IBM Group: Software Group
Modified date: Aug 29, 2005