Fix (APAR): PK80596 Status: Fix Release: 6.1.0.23,6.1.0.21,6.1.0.17,6.0.2.33,6.0.2.31,6.0.2.27 Operating System: AIX,HP-UX,Linux,Linux pSeries,Linux zSeries,Solaris,Windows Supersedes Fixes: CMVC Defect: 574319.4 Byte size of APAR: 1351560 Date: 2009-06-17 Abstract: Possible security exposure with XML digital signature Description/symptom of problem: PK80596 resolves the following problem: ERROR DESCRIPTION: Possible security exposure with XML digital signature LOCAL FIX: N/A PROBLEM SUMMARY: USERS AFFECTED: WebSphere Application Server users of JAX-WS and JAX-RPC applications using MAC algorithm (shared secret key) such as http://www.w3.org/2000/09/xmldsig#hmac-sha1 for message integrity. PROBLEM DESCRIPTION: Web services messages that don't follow XML digital signature best practice may be accepted by the Application Server if those messages otherwise satisfy quality of service policy requirements. RECOMMENDATION: Apply APAR PK80596 or a Fix Pack containing this APAR. PROBLEM CONCLUSION: The WS-Security runtime was updated to reject messages that don't follow XML digital signature best practice. Web services requests that contain digital signatures that are not generated by WebSphere Application Servers may be rejected after applying this fix for integrity consideration. The fix for this APAR is currently targeted for inclusion in fixpacks 6.0.2.35, 6.1.0.25, and 7.0.0.3. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980 Directions to apply fix: Fix applies to Editions: Release 6 _X_ Application Server (Express or BASE) _X_ Network Deployment (ND) __ WebSphere Business Integration Server Foundation (WBISF) __ Edge Components __ Developer __ Extended Deployment (XD) Install Fix to: Method: _X_ Application Server Nodes __ Deployment Manager Nodes __ Both NOTE: The user must: * Have Administrative rights in Windows, or be the Actual Root User in a UNIX environments. * Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V6.1.0.13 or newer of the Update Installer. Certain iFixes may require a newer version of the Update Installer and the Update Installer will inform you during the installation process if a newer version is required. This can be checked by reviewing the level of the Update Installer in file /updateinstaller/version.txt. The Update Installer can be downloaded from the following link: http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991 For detailed instructions to Extract the Update Installer see the following Technote: http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205400 1) Copy the pak file that is appropriate for your install base directly to the maintenance directory: For 6.0.2.27, use: 6.0.2.27-WS-WAS-IFPK80596.pak For 6.0.2.31, use: 6.0.2.31-WS-WAS-IFPK80596.pak For 6.0.2.33, use: 6.0.2.33-WS-WAS-IFPK80596.pak For 6.1.0.17, use: 6.1.0.17-WS-WAS-IFPK80596.pak For 6.1.0.21, use: 6.1.0.21-WS-WAS-IFPK80596.pak For 6.1.0.23, use: 6.1.0.23-WS-WAS-IFPK80596.pak 2) Shutdown WebSphere Manually execute setupCmdLine.bat in Windows or . ./setupCmdLine.sh in Unix from the WebSphere instance that maintenance is being applied to. 3) Launch Update Installer and click the Next button on the Welcome page. 4) Enter the directory path of the installation location of the WebSphere product you want to update, and click the Next button. 5) Select the "Install maintenance package" operation and click the Next button. 6) Enter the directory path of your maintenance directory where you have the maintenance packages (.pak files) and click the Next button. 7) The Available Maintenance Package to Install page should list all maintenance packages (.pak files) that it finds in the directory path provided in the previous step. The Update Installer will select the correct maintenance packages based on your system configuration and will not allow an invalid combination to be installed. Please keep the Update Installer recommendations and click the Next button and continue with the installation of the maintenance package. 8) Restart WebSphere. Directions to remove fix: NOTE: * The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environments. * FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED * DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED * YOU MAY REAPPLY ANY REMOVED FIX Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied. * The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environments. * FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED * DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED * YOU MAY REAPPLY ANY REMOVED FIX Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied. 1) Shutdown WebSphere Manually execute setupCmdLine.bat in Windows or . ./setupCmdLine.sh in Unix from the WebSphere instance that uninstall is being run against. 2) Start Update Installer 3) Enter the installation location of the WebSphere product you want to remove the fix. 4) Select "Uninstall maintenance package" operation. 5) Select file name of the maintenance package to uninstall (for example, 6.1.0.11-WS-WAS-IFPK12345.pak). 6) Verify the Uninstallation Summary and continue with the uninstall. 7) Restart WebSphere. Directions to re-apply fix: 1) Shutdown WebSphere. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere. Additional Information: