PK23458: Signed jar verification fails after 05/18/2006 21:59:19 GMT

 A fix is available

PK23458; 5.0.2.4: Signed jar verification fails after 05/18/2006 21:59:19 GMT



APAR status
Closed as program error.

Error description
The single APAR fix 
PQ85933 locates local_policy.jar and
US_export_policy.jarfiles
under wrong path, <WAS_ROOT>/java/jre/lib/security directory.
The correct path for the both jar files is <WAS_ROOT>
/java/jre/lib/ext directory.
Also, it replaces
<WAS_ROOT>/java/jre/lib/ext/ibmpkcs.jar.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server version 5       *
*                 users.                                       *
****************************************************************
* PROBLEM DESCRIPTION: The IBM JCE certificate will expire     *
*                      on May 18, 2006 at 21:59:19 GMT.        *
*                      After that date, users will see         *
*                      errors when invoking methods in IBM's   *
*                      JSSE or JCE.                            *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
For WebSphere Application Server version 5.0,5.0.1, 5.0.2,
5.0.2.1, 5.0.2.2, 5.0.2.3, or 5.0.2.4, the IBM JCE certificate
will expire on May 18, 2006 at 21:59:19 GMT. After that date,
users will see  errors when using Application Server Security,
SSL, J2C security or applications making calls to IBM's JSSE
or JCE directly.

Expected problems if fix hasn't been applied:

Any API call for JCE will fail with following errors:
- java.lang.ExceptionInInitializerError
- java.lang.SecurityException: Cannot set up certs for trusted
CAs.

Following is a list of conditions when this error happens:
- Global Security is enabled
- SSL is enabled for HTTP transport
- Application Server stores password for accessing datasource
- Application is using javax.crypt.* class or
javax.security.* class
Problem conclusion
Signed jar verification routine will now accept signed jars
with legitimate certificates even if the certificate has
expired.
This APAR corrects a packaging error in iFix 
PQ85933. There
is no problem with fixpacks.
Temporary fix
*********
* HIPER *
*********
Comments
APAR information
APAR number PK23458
Reported component name WAS NETWRK DEPL
Reported component ID 5630A3601
Reported release 00I
Status CLOSED PER
PE NoPE
HIPER YesHIPER
Special Attention NoSpecatt
Submitted date 2006-04-16
Closed date 2006-05-17
Last modified date 2006-05-22

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
SECURITY          

Publications Referenced

Fix information
Fixed component name WAS NETWRK DEPL
Fixed component ID 5630A3601

Applicable component levels
R00A PSY    UP
R00H PSY    UP
R00I PSY    UP
R00P PSY    UP
R00S PSY    UP
R00W PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 00I
Software edition:
Reference #: PK23458
IBM Group: Software Group
Modified date: May 22, 2006