PK40407: WEBSPHERE MAY SUBTITUTE ITS OWN LIST OF CIPHER SUITES THAT OVERRIDE THE LIST SPECIFIED IN THE ADMININSTRATIVE CONSOLE.

 Fixes are available

6.0.2.25: WebSphere Application Server V6.0.2 Fix Pack 25 for AIX platforms
6.0.2.27: WebSphere Application Server V6.0.2 Fix Pack 27 for HP-UX platforms
6.0.2.27: WebSphere Application Server V6.0.2 Fix Pack 27 for OS/400 platform
6.0.2.27: WebSphere Application Server V6.0.2 Fix Pack 27 for Solaris
6.0.2.27: WebSphere Application Server V6.0.2 Fix Pack 27 for Windows platforms
6.0.2.27: WebSphere Application Server V6.0.2 Fix Pack 27 for AIX platforms
6.0.2.25: WebSphere Application Server V6.0.2 Fix Pack 25 for HP-UX platforms
6.0.2.23: WebSphere Application Server V6.0.2 Fix Pack 23 for HP-UX platforms
6.0.2.23: WebSphere Application Server V6.0.2 Fix Pack 23 for AIX platforms
6.0.2.29: WebSphere Application Server V6.0.2 Fix Pack 29 for AIX platforms
6.0.2.29: WebSphere Application Server V6.0.2 Fix Pack 29 for HP-UX platforms
6.0.2.29: WebSphere Application Server V6.0.2 Fix Pack 29 for Linux platforms
V6.0.2: Java SDK 1.4.2 SR11 Cumulative Fix for IBM WebSphere Application Server
6.0.2.29: WebSphere Application Server V6.0.2 Fix Pack 29 for Solaris
6.0.2.29: WebSphere Application Server V6.0.2 Fix Pack 29 for Windows platforms
6.0.2.27: WebSphere Application Server V6.0.2 Fix Pack 27 for Linux platforms
6.0.2.25: WebSphere Application Server V6.0.2 Fix Pack 25 for Linux platforms
6.0.2.25: WebSphere Application Server V6.0.2 Fix Pack 25 for Solaris
6.0.2.25: WebSphere Application Server V6.0.2 Fix Pack 25 for Windows platforms
6.0.2.23: WebSphere Application Server V6.0.2 Fix Pack 23 for Windows platforms
6.0.2.23: WebSphere Application Server V6.0.2 Fix Pack 23 for Solaris
6.0.2.23: WebSphere Application Server V6.0.2 Fix Pack 23 for OS/400 platform
6.0.2.23: WebSphere Application Server V6.0.2 Fix Pack 23 for Linux platforms
6.0.2.31: WebSphere Application Server V6.0.2 Fix Pack 31 for AIX platforms
6.0.2.31: WebSphere Application Server V6.0.2 Fix Pack 31 for HP-UX platforms
6.0.2.31: WebSphere Application Server V6.0.2 Fix Pack 31 for OS/400 platform
6.0.2.31: WebSphere Application Server V6.0.2 Fix Pack 31 for Linux platforms
6.0.2.31: WebSphere Application Server V6.0.2 Fix Pack 31 for Solaris
6.0.2.31: WebSphere Application Server V6.0.2 Fix Pack 31 for Windows platforms
V6.0.2: Java SDK 1.4.2 SR11 Cumulative Fix for IBM WebSphere Application Server



APAR status
Closed as program error.

Error description
WebSphere substitutes its own list of cipher suites in certain
cases and this overrides the expected set of cipher suites that
are listed in the administrative console. This apar will address
this issue.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V6.0.1 for z/OS                              *
****************************************************************
* PROBLEM DESCRIPTION: For WebSphere Application Server for    *
*                      z/OS, when an SSL connection is to be   *
*                      established between two applications    *
*                      that use client certificate for         *
*                      authentication, the cipher selected     *
*                      corresponds to the lowest common        *
*                      cipher that does not provide            *
*                      encryption support of the cipher suites *
*                      selected for each SSL configuration.    *
*                      The highest cipher in common from       *
*                      both cipher suites is expected to be    *
*                      used instead of a cipher with NULL      *
*                      encryption.                             *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
For WebSphere Application Server for z/OS applications that
establish SSL connections using a JSSE provider, the cipher
selected in the handshake process is a cipher which
provides no encryption instead of a cipher with a stronger
encryption in common to both cipher suites.  This happens when
the servers reside in the same sysplex.  Examples of ciphers
with no encryption are SSL_RSA_WITH_NULL_MD5 and
SSL_RSA_WITH_NULL_SHA.
Problem conclusion
The code was modified to provide the capability to disable the
optimization provided by ciphers with no encryption used when
SSL connections are established in the same sysplex.
The property to disable the sysplex single hop optimization is,
security_disable_sysplex_encryption_optimization.

APAR PK40407 requires changes to WebSphere Application Server
for z/OS V6.0.1 documentation.

NOTE: Periodically, we refresh the documentation on our
Web site, so the changes might have been made before you
read this text. To access the latest on-line
documentation, go to the product library page at:


http://www.ibm.com/software/webservers/appserv/was/library/

The V6.0.x WebSphere Application Server for z/OS
Information Center article "Security tuning tips"
will be updated to include the following
descriptions of the new custom property:

Setting the custom property,
security_disable_sysplex_encryption_optimization disables the
optimization that is used for communicating applications that
use SSL and reside in the same sysplex. Setting this custom
property allows the handshake process between a client using a
JSSE provider and a server that uses system SSL to select a
cipher that provides the strongest encryption. When the
optimization is enabled, the cipher selected is one that is
common between the cipher suites and is one which does not
provide encryption. Examples of such ciphers are
SSL_RSA_WITH_NULL_MD5 and SSL_RSA_WITH_NULL_SHA.
Note: You set this custom property by using the Administrative
Console Environment > WebSphere Variables panel.

APAR PK40407 is currently targeted for inclusion in Service
Level (Fix Pack) 6.0.2.23 of WebSphere Application Server V6.0.1
for z/OS.
Temporary fix Comments
APAR information
APAR number PK40407
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 601
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2007-03-01
Closed date 2007-08-21
Last modified date 2007-11-02

APAR is sysrouted FROM one or more of the following:
PK40353

APAR is sysrouted TO one or more of the following:

Modules/Macros

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSN    UP
R601 PSY UK29972    UP07/10/18 P F710
R610 PSN    UP

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PK40407.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 601
Software edition:
Reference #: PK40407
IBM Group: Software Group
Modified date: Nov 2, 2007