Fix (APAR): PK23458 Status: Fix Release: 5.0.2.4,5.0.2.3,5.0.2.2,5.0.2.1,5.0.2,5.0.1,5.0 Operating System: AIX,HP-UX,Linux,Solaris,Windows Supersedes Fixes: PQ85933 CMVC Defect: xxxxxx Byte size of APAR: 818346 Date: 2006-05-17 Abstract: The IBM JCE certificate will expire on May 18, 2006 at 21:59:19 GMT. After that date, users will see errors when invoking methods in IBM's JSSE or JCE. Description/symptom of problem: PK23458 resolves the following problem: ERROR DESCRIPTION: The single APAR fix PQ85933 locates local_policy.jar and US_export_policy.jarfiles under wrong path, /java/jre/lib/security directory. The correct path for the both jar files is /java/jre/lib/ext directory. Also, it replaces /java/jre/lib/ext/ibmpkcs.jar. LOCAL FIX: None. PROBLEM SUMMARY USERS AFFECTED: WebSphere Application Server version 5 users. PROBLEM DESCRIPTION: The IBM JCE certificate will expire on May 18, 2006 at 21:59:19 GMT. After that date, users will see errors when invoking methods in IBM's JSSE or JCE. RECOMMENDATION: None For WebSphere Application Server version 5.0,5.0.1, 5.0.2, 5.0.2.1, 5.0.2.2, 5.0.2.3, or 5.0.2.4, the IBM JCE certificate will expire on May 18, 2006 at 21:59:19 GMT. After that date, users will see errors when using Application Server Security, SSL, J2C security or applications making calls to IBM's JSSE or JCE directly. Expected problems if fix hasn't been applied: Any API call for JCE will fail with following errors: - java.lang.ExceptionInInitializerError - java.lang.SecurityException: Cannot set up certs for trusted CAs. Following is a list of conditions when this error happens: - Global Security is enabled - SSL is enabled for HTTP transport - Application Server stores password for accessing datasource - Application is using javax.crypt.* class or javax.security.* class PROBLEM CONCLUSION: Signed jar verification routine will now accept signed jars with legitimate certificates even if the certificate has expired. This APAR corrects a packaging error in iFix PQ85933. There is no problem with fixpacks. Directions to apply fix: NOTE: Choose the: 1) Release the fix applies to 2) The Editions that apply 3) Delete the Editions & Methods that do not apply and this Note Fix applies to Editions: Release: 5.0 5.1 _X__ ___ Application Server (Express or BASE) _X__ Enterprise Edition (DD) _X__ ___ Network Deployment (ND) ___ ___ Edge Components _X__ ___ Developers Edition ___ ___ Tools ___ WebSphere Business Integration Server Foundation (WBISF) Install Fix to: Method: __ Application Server Nodes __ Deployment Manager Nodes _X_ Both NOTE: The user must: * Have Administrative rights in Windows, or be the Actual Root User in a UNIX environments. * Be logged in with the same authority level when unpacking a fix, fix pack or refresh pack. The Update Installer can be downloaded from the following link: http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991 The Update Installer for V5.0 does not have a maintenance directory. It uses fixpacks and fixes as the location of the unpacked files. 1) Copy PKxxxxx.jar file directly to the maintenance directory 2) Shutdown WebSphere Manually execute setupCmdLine.bat in Windows or . ./setupCmdLine.sh in Unix from the WebSphere instance that maintenance is being applied to. 3) Launch Update Installer 4) Enter the installation location of the WebSphere product you want to update. 5) Select the "Install maintenance package" operation. 6) Enter the file name of the maintenance package to install (PKxxxxx.jar file which was copied in the maintenance directory). The V5.0 and V5.1 fix packs and fixes are unpacked as .jar files and should be unpacked into fixpacks or fixes directory. 7) Install the maintenance package. 8) Restart WebSphere Directions to remove fix: NOTE: * The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environments. * FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED * DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED * YOU MAY REAPPLY ANY REMOVED FIX Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied. 1) Shutdown WebSphere Manually execute setupCmdLine.bat in Windows or . ./setupCmdLine.sh in Unix from the WebSphere instance that uninstall is being run against. 2) Start Update Installer 3) Enter the installation location of the WebSphere product you want to remove the fix. 4) Select "Uninstall maintenance package" operation. 5) Enter the file name of the maintenance package to uninstall (PKxxxxx.jar). 6) UnInstall maintenance package. 7) Restart WebSphere Directions to re-apply fix: 1) Shutdown WebSphere. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere. Additional Information: If PQ85933 has been installed, please uninstall it before applying PK23458.