APAR status
Closed as program error.
Error description
This APAR has been superseded by PK 23458. APAR
PK23458
corrects a packaging error in Interim Fix PQ85933. There is no
problem with functionality of the APAR. The JCE expiration is
corrected.
There has been some concern regarding certificate expiration and
how IBM JCE is affected by this issue circulating among JCE
exploiters. The issue first arose when a Sun signing certificate
was set to expire on July 27, 2005. This issue did/does not
affect IBM JCE providers, since the IBM certificate is set to
expire May 18, 2006 at 21:59:19 GMT. Only 1.3.1 IBM JDKs were
affected by this issue (and 1.2.1 IBM JDKs; some of these were
still in use). The 1.4.x series of IBM JDKs is unaffected.
.
An alert for the issue stated that the Java Security team
implemented a fix to ibmjcefw.jar which validates the signature
of the provider jar but ignores expiration of the certificate
associated with the signature. Exploiters of IBM JCE with build
dates (found in the Manifest file in the ibmjcefw.jar) prior to
February 19, 2004 (040219) were advised to upgrade their
framework jar in order to avoid experiencing problems as a
result of the expiring certificate.
.
It has been noted by a few exploiters that the IBM certificate
is set to expire on May 18, 2006, and these exploiters have had
similar concerns about experiencing problems with JCE. Again
with this issue, for 1.3.1 IBM JDKs (and below), JCE is not
bundled with the JDK, so a newer, unaffected ibmjcefw.jar may be
obtained from an appropriate product update. Also, the 1.4.x
series remains unaffected in this instance as well. In
addition, I have been assured that no problems will be
encountered when the JVM attempts to load a framework jar
signed by an expired certificate.
.
Exploiters on z/OS should be immune to this issue if they are
using 1.3.1 SR 25 or later.
The following technote is relevant to this document.
http://www-1.ibm.com/support/docview.wss?uid=swg21236118
Local fix Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users who are *
* using signed jars in deployed applications. *
* *
* *
* *
****************************************************************
* PROBLEM DESCRIPTION: For WebSphere Application Server *
* version 5.0,5.0.1, 5.0.2, 5.0.2.1, *
* 5.0.2.2, 5.0.2.3, or 5.0.2.4, the IBM *
* JCE certificate will expire on May 18, *
* 2006 at 21:59:19 GMT. *
* After that date, users will see errors *
* when using Application Server *
* Security, SSL, J2C security or *
* applications making calls to IBM's *
* JSSE or JCE directly. *
****************************************************************
* RECOMMENDATION: *
* *
* *
* *
* *
* *
* *
* *
****************************************************************
The signed jar verification with IBM JCE build earlier than
040219 will fail after year 2006. This is due to existing jar
files signed with certificates that will expire in 2006.
Problem conclusion
Signed jar verification routine will now accept signed jars
with legitimate certificates even if the certificate has
expired.
Temporary fix Comments
APAR information |
APAR number |
PQ85933 |
Reported component name |
WAS BASE 5.0 |
Reported component ID |
5630A3600 |
Reported release |
00W |
Status |
CLOSED PER |
PE |
NoPE |
HIPER |
NoHIPER |
Special Attention |
NoSpecatt |
Submitted date |
2004-03-11 |
Closed date |
2004-03-19 |
Last modified date |
2006-05-18 |
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PQ91005
PK10964
Modules/Macros
Publications Referenced
Applicable component levels |
R003 PSY |
UP |
R00A PSY |
UP |
R00H PSY |
UP |
R00I PSY |
UP |
R00P PSY |
UP |
R00S PSY |
UP |
R00W PSY |
UP |
R103 PSY |
UP |
R10A PSY |
UP |
R10H PSY |
UP |
R10I PSY |
UP |
R10P PSY |
UP |
R10S PSY |
UP |
R10W PSY |
UP |
|