PK23458; 5.0.2.4: Signed jar verification fails after 05/18/2006 21:59:19 GMT
 Downloadable files
 
Abstract
The IBM® JCE certificate will expire on May 18, 2006 at 21:59:19 GMT. After that date, users will see errors when invoking methods in IBM's JSSE or JCE.
 
Download Description
PK23458 resolves the following problem:

ERROR DESCRIPTION:
The single APAR fix PQ85933 locates local_policy.jar and US_export_policy.jarfiles under wrong path, <WAS_ROOT>/java/jre/lib/security directory.
The correct path for the both jar files is <WAS_ROOT> /java/jre/lib/ext directory.
Also, it replaces <WAS_ROOT>/java/jre/lib/ext/ibmpkcs.jar.

LOCAL FIX:
None.

PROBLEM SUMMARY

USERS AFFECTED:
WebSphere® Application Server version 5.0 users.

PROBLEM DESCRIPTION:
The IBM JCE certificate will expire on May 18, 2006 at 21:59:19 GMT. After that date, users will see errors when invoking methods in IBM's JSSE or JCE.

Symptom 1:
fd4e164 WSSecurityCom E WSEC0019E: Failed to load KeyLocator SampleSenderEncryptionKeyLocator. The exception is java.lang.ExceptionInInitializerError: java.lang.SecurityException: Cannot set up certs for trusted CAs
at javax.crypto.f.<clinit>(Unknown Source)
at javax.crypto.m.<clinit>(Unknown Source)
at javax.crypto.b.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.crypto.Cipher.init(Unknown Source)
at com.ibm.crypto.provider.x.a(Unknown Source)
at com.ibm.crypto.provider.JceKeyStore.engineGetKey(Unknown Source)
at java.security.KeyStore.getKey(KeyStore.java:278)
at com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator.init(KeyStoreKeyLocator.java:222

Symptom 2:
NodeAgent or Application Server does not start.

SytemOut.log output would look as follows in that condition
[6/20/06 13:19:41:305 EDT] 1997059b WsServer E WSVR0003E: Server nodeagent failed to start
java.lang.NoClassDefFoundError: com/ibm/ws/security/core/ContextManagerFactory
at com.ibm.ws.naming.cosbase.WsnOptimizedNamingImplBase.getSecurityContextMgr(WsnOptimizedNamingImplBase.java:2235)
at com.ibm.ws.naming.cosbase.WsnOptimizedNamingImplBase.popInvocationCredential(WsnOptimizedNamingImplBase.java:2303)
at com.ibm.ws.naming.cosbase.WsnOptimizedNamingImplBase.resolve_complete_info(WsnOptimizedNamingImplBase.java:1456)
at com.ibm.ws.naming.cosbase.WsnOptimizedNamingImplBase.resolve(WsnOptimizedNamingImplBase.java:470)
.
.
[6/20/06 13:19:41:398 EDT] 1997059b WsServer E WSVR0009E: Error occurred during startup



RECOMMENDATION:
None

For WebSphere Application Server versions 5.0,5.0.1, 5.0.2, 5.0.2.1, 5.0.2.2, 5.0.2.3, or 5.0.2.4, the IBM JCE certificate will expire on May 18, 2006 at 21:59:19 GMT. After that date, users will see errors when using Application Server Security, SSL, J2C security or applications making calls to IBM's JSSE or JCE directly.

Expected problems if fix hasn't been applied:

Any API call for JCE will fail with following errors:
- java.lang.ExceptionInInitializerError
- java.lang.SecurityException: Cannot set up certs for trusted CAs.

Following is a list of conditions when this error happens:
- Global Security is enabled
- SSL is enabled for HTTP transport
- Application Server stores password for accessing datasource
- Application is using javax.crypt.* class or javax.security.* class

PROBLEM CONCLUSION:
Signed jar verification routine will now accept signed jars with legitimate certificates even if the certificate has expired.

This APAR corrects a packaging error in Interim Fix PQ85933. There is no problem with functionality of the APAR. The JCE expiration is corrected.
 
Prerequisites
Please download the UpdateInstaller below to install this fix.
If single APAR fix PQ85933 is already applied, please uninstall it before applying this APAR fix.
 
URL LANGUAGE SIZE(Bytes)
UpdateInstaller US English 7250000
 
 
Installation Instructions
Please review the readme.txt for detailed installation instructions.
 
URL LANGUAGE SIZE(Bytes)
Readme US English 5654
 
Download package
What is DD?
Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
PK23458_50 05-17-2006 US English 818346 FTP DD
 
Technical support
Contact IBM Support using ESR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server - Express Security AIX, HP-UX, Linux, OS/400, Solaris, Windows 5.0.2.9, 5.0.2.8, 5.0.2.7, 5.0.2.6, 5.0.2.5, 5.0.2.4, 5.0.2.3, 5.0.2.2, 5.0.2.13, 5.0.2.12, 5.0.2.11, 5.0.2.10, 5.0.2.1, 5.0.2, 5.0.1, 5.0 Express
Application Servers Runtimes for Java Technology Java SDK
Problems (APARS) fixed
PK23458, PQ85933
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Java Security (JSSE/JCE)
Operating system(s): Windows
Software version: 5.0.2.4
Software edition:
Reference #: 4012319
IBM Group: Software Group
Modified date: Jun 21, 2006