Fix (APAR): PM12971 Status: Fix Release: 6.1.0.35,6.1.0.33,6.1.0.31,6.1.0.29,6.1.0.27,6.1.0.25,6.1.0.23,6.1.0.21,6.1.0.19 Operating System: AIX,HP-UX,Linux,Solaris,Windows Supersedes Fixes: PK77138;PK85910 CMVC Defect: PM12971 Byte size of APAR: 169578 Date: 2010-12-09 Abstract: JAX-RPC WS-Security runtime cannot properly generate or consume signed security tokens that are signed with STR-Transform Description/symptom of problem: PM12971 resolves the following problem: ERROR DESCRIPTION:? The JAX-RPC WS-Security runtime cannot properly generate or consume signed security tokens that are signed with STR-Transform. The STR-Transform process must be used in order to sign custom security tokens that do not contain the wsu:Id attribute. LOCAL FIX:? No work around noted at this time. PROBLEM SUMMARY:? USERS AFFECTED: IBM WebSphere Application Server V6.1 and V7.0 users of WS-Security enabled JAX-RPC web services applications and digital signature PROBLEM DESCRIPTION: JAX-RPC WS-Security runtime cannot properly generate or consume signed security tokens that are signed with STR-Transform RECOMMENDATION: Install a fix pack that includes this APAR. The JAX-RPC WS-Security 1.0 runtime cannot properly generate or consume a security token that is referenced with a SecurityTokenReference that is signed with the STR Dereference Transform reference option. The STR-Transform Transform algorithm will be specified in the Reference in the Signature element when the STR Dereference Transform reference option is being used. The Reference element will point to the SecurityTokenReference for the security token that is to be signed. The STR-Transform process must be used in order to sign custom security tokens that do not contain the wsu:Id attribute, or any security token that does not appear in the message. When the JAX-RPC runtime is configured to sign a security token using STR-Transform, the runtime will add a wsu:Id attribute directly to the security token and not add the required wsse:SecurityTokenReference element. This is not acceptable for tokens that do not allow the wsu:Id attribute, such as SAML tokens. When the JAX-RPC runtime receives a wsse:SecurityTokenReference element that is outside of the Signature element in the SOAP security header, which is required for a security token that is signed with STR-Transform, an error like the following will occur: WSEC5503E: Unknown element wsse:SecurityTokenReference in the wsse:Security element. The STR-Transform transform algorithm is: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-mes sage-security-1.0#STR-Transform The wsse:SecurityTokenReference element is: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur ity-secext-1.0.xsd}SecurityTokenReference The wsu:Id attribute is: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur ity-utility-1.0.xsd}Id PROBLEM CONCLUSION:? The JAX-RPC WS-Security 1.0 runtime is updated to properly generate and consume security tokens that are signed using STR-Transform in the following conditions: * The security token can be referenced by a Reference element within a wsse:SecurityTokenReference element -or- * The token is a SAML 1.1 or SAML 2.0 Assertion that can be referenced by a KeyIdentifier element in the wsse:SecurityTokenReference element. Any token that must be referred to with a KeyIdentifier that is not a SAML 1.1 or 2.0 Assertion is not supported. This includes tokens that do not appear in the message. For the purposes of this APAR, the UsernameToken, X.509, and LTPA tokens were those tested for wsse:SecurityTokenReference/Reference. The SAML 1.1 Assertion is: {urn:oasis:names:tc:SAML:1.0:assertion}Assertion The SAML 2.0 Assertion is: {urn:oasis:names:tc:SAML:2.0:assertion}Assertion This APAR only applies to the JAX-RPC WS-Security 1.0 runtime. The JAX-RPC Draft 13 runtime was not updated. The fix for this APAR is currently targeted for inclusion in fix packs 6.1.0.37 and 7.0.0.17. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980 Directions to apply fix: Fix applies to Editions: Release 6 _x_ Application Server (Express or BASE) _x_ Network Deployment (ND) __ WebSphere Business Integration Server Foundation (WBISF) __ Edge Components __ Developer __ Extended Deployment (XD) Install Fix to: Method: _x_ Application Server Nodes __ Deployment Manager Nodes __ Both NOTE: The user must: * Have Administrative rights in Windows, or be the Actual Root User in a UNIX environments. * Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V6.1.0.13 or newer of the Update Installer. Certain iFixes may require a newer version of the Update Installer and the Update Installer will inform you during the installation process if a newer version is required. This can be checked by reviewing the level of the Update Installer in file /updateinstaller/version.txt. The Update Installer can be downloaded from the following link: http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991 For detailed instructions to Extract the Update Installer see the following Technote: http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205400 Note that there are two different methods for delivering iFixes, depending on the contents. The fix may be delivered either as a single file with a .pak extension (such as 6.1.0.11-WS-WAS-IFPK12345.pak) or a single file with a .zip extension (such as 6.1.0.11-WS-WAS-IFPK12345.zip) which then contains one or more files with a .pak extension. 1) If your iFix is delivered as a single file with a .pak extension, Copy the .pak file directly to the maintenance directory. If your iFix is delivered as a single file with a .zip extension, unzip the file into the maintenance directory. 2) Shutdown WebSphere Manually execute setupCmdLine.bat in Windows or . ./setupCmdLine.sh in Unix from the WebSphere instance that maintenance is being applied to. 3) Launch Update Installer and click the Next button on the Welcome page. 4) Enter the directory path of the installation location of the WebSphere product you want to update, and click the Next button. 5) Select the "Install maintenance package" operation and click the Next button. 6) Enter the directory path of your maintenance directory where you have the maintenance packages (.pak files) and click the Next button. 7) The Available Maintenance Package to Install page should list all maintenance packages (.pak files) that it finds in the directory path provided in the previous step. The Update Installer will select the correct maintenance packages based on your system configuration and will not allow an invalid combination to be installed. Please keep the Update Installer recommendations and click the Next button and continue with the installation of the maintenance package. 8) Please note that in the future, if a Feature Pack is installed or uninstalled, a different set of iFixes will be needed. Use the Update Installer again at that time, with the maintenance directory location where these maintenance packages are stored, to determine the required interim fixes for the new WebSphere and Feature Pack(s) combination. 9) The maintenance packages could have one of a set of names, and these names will help determine which maintenance package you need to install. The APAR name (PKxxxxx) should appear as part of the filename. Between the APAR number and the .pak extension there will be 0 to 2 characters added. The table below indicates the usage of each of the maintenance packages with respect to which Feature Packs, if any, are installed. |.pak File Names |No Feature Packs|EJB3 Only|WebServices Only| Both | |6.1.0.x-WS-WAS-IFPK12345 | X | X | X | X | |6.1.0.x-WS-WAS-IFPK12345C | X | | | | |6.1.0.x-WS-WAS-IFPK12345CE | | X | X | X | |6.1.0.x-WS-WAS-IFPK12345W | X | X | | | |6.1.0.x-WS-WAS-IFPK12345WE | | | X | X | |6.1.0.x-WS-WAS-IFPK12345E | X | | X | | |6.1.0.x-WS-WAS-IFPK12345EE | | X | | X | 10) Restart WebSphere Directions to remove fix: NOTE: * The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environments. * FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED * DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED * YOU MAY REAPPLY ANY REMOVED FIX Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied. 1) Shutdown WebSphere Application Server. Manually execute setupCmdLine.bat in Windows or . ./setupCmdLine.sh in Unix from the WebSphere instance that uninstall is being run against. 2) Start Update Installer 3) Enter the installation location of the WebSphere product you want to remove the fix. 4) Select "Uninstall maintenance package" operation. 5) Select file name of the maintenance package to uninstall (for example, 6.1.0.11-WS-WAS-IFPK12345.pak). 6) Verify the Uninstallation Summary and continue with the uninstall. 7) Restart WebSphere Directions to re-apply fix: 1) Shutdown WebSphere Application Server. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere Application Server. Additional Information: 6.1.0.19-WS-WAS-IFPM12971.pak applies to fixpack 6.1.0.19 through 6.1.0.35.