APAR status
Closed as program error.
Error description
According to the Infocenter for WebSphere 5.0.x, the cacerts
file is used when the com.ibm.SSL.trustStore property is not
set.
Global security uses the com.ibm.SSL.trustStore JVM
property to define its trust file, which keeps the application
from using signer certs that were added to the cacerts file.
Local fix
The application can use signer certs that are added to the trust
store defined in Global Security's com.ibm.ssl.trustStore.
Another workaround is to use socket factories which can define
thier own trust stores within the application
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users who are *
* attempting to programatically establish SSL *
* connections with security enabled. *
****************************************************************
* PROBLEM DESCRIPTION: The default trust store "cacerts" is *
* changed when security is enabled. *
****************************************************************
* RECOMMENDATION: *
****************************************************************
The default trust store "cacerts" is changed when security is
enabled. The problem was caused by the properties below
being set unnecessarily with setting up the HTTPS protocol
handler.
javax.net.ssl.keyStore
javax.net.ssl.keyStoreType
javax.net.ssl.keyStorePassword
javax.net.ssl.trustStore
javax.net.ssl.trustStoreType
javax.net.ssl.trustStorePassword
The HTTPS protocol handler was also only being configured if
security was enabled and this should always be configured.
Problem conclusion
The global system properties are no longer set when security
is enabled. HTTPS protocol handler initialization was
modified so it was performed even if security was not enabled.
Important note: The system properties for configuring the
default trust and key stores are used by Apache SOAP for SSL
connections. Apache SOAP is used by some components of
WebSphere Application Server. Applications should not rely on
well known global system properties for trust and key store
selections and should implement a SocketFactory instead.
Temporary fix Comments
APAR information |
APAR number |
PQ83508 |
Reported component name |
WAS BASE 5.0 |
Reported component ID |
5630A3600 |
Reported release |
00S |
Status |
CLOSED PER |
PE |
NoPE |
HIPER |
NoHIPER |
Special Attention |
NoSpecatt |
Submitted date |
2004-01-21 |
Closed date |
2004-03-02 |
Last modified date |
2004-03-02 |
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
Publications Referenced
Applicable component levels |
R003 PSY |
UP |
R00A PSY |
UP |
R00H PSY |
UP |
R00I PSY |
UP |
R00P PSY |
UP |
R00S PSY |
UP |
R00W PSY |
UP |
R103 PSY |
UP |
R10A PSY |
UP |
R10H PSY |
UP |
R10I PSY |
UP |
R10P PSY |
UP |
R10S PSY |
UP |
R10W PSY |
UP |
|