Fix (APAR): PM12973 Status: Fix Release: 7.0.0.11,7.0.0.9,7.0.0.7 Operating System: AIX,HP-UX,IBM i,Linux,Solaris,Sun,Windows Supersedes Fixes: PK97223 PM01282 PK98750 PK96427 CMVC Defect: PM12973 Byte size of APAR: 1578438 Date: 2010-05-12 Abstract: JAX-WS WS-Security does not allow a trust store to be reloaded during runtime Description/symptom of problem: PM12973 resolves the following problem: ERROR DESCRIPTION: JAX-WS WS-Security does not allow a trust store to be reloaded during runtime. If a trusted certificate is added to a trust store used by an X.509 token consumer after the application server is started, the trust validation will fail. LOCAL FIX: na PROBLEM SUMMARY USERS AFFECTED: IBM WebSphere Application Server V7.0 users of WS-Security enabled JAX-WS applications PROBLEM DESCRIPTION: JAX-WS WS-Security does not allow a trust store to be reloaded during runtime RECOMMENDATION: Apply an ifix or fixpack that includes this APAR. JAX-WS WS-Security does not allow a trust store to be reloaded during runtime. If a trusted certificate is added to a trust store used by an X.509 token consumer after the application server is started, the trust validation will fail. Applications may require the ability to reload a trust store during runtime. PROBLEM CONCLUSION: The trust store is a keystore. JAX-WS WS-Security does not acknowledge the refresh of any keystores while the application server is running. For performance reasons, keystores are cached in memory when each application is started. The cache is shared among applications, so if a single application is stopped, its keystore(s) remain in the cache. The WS-Security custom property is added: com.ibm.wsspi.wssecurity.config.token.inbound.retryOnceAfterTrus tFailure If the com.ibm.wsspi.wssecurity.config.token.inbound.retryOnceAfterTrus tFailure is set to true, when a trust validation occurs, the WS-Security runtime will reload its configured trust store and retry the trust validation one more time. If a failure occurs after the second attempt, the trust validation failure will be returned. The trust store will be loaded and used for that single re-validation attempt only. The keystore object in the cache cannot be replaced for concurrency issues. Valid values for this property are true and false. It defaults to false. This property is set as a custom property on the Callback handler for an X.509, PKIPath, or PKCS#7 token consumer. The following path can be used to set the property in the administrative console: (bindingName)->WS-Security->Authentication and protection->(tokenName)->Callback handler For an application using the WS-Security WSS API, the property can also be set on the Callback handler for the token consumers listed above. The fix for this APAR is currently targeted for inclusion in fix pack 7.0.0.13. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980 Directions to apply fix: Fix applies to Editions: Release 7.0 _x_ Application Server (Express or BASE) _x_ Network Deployment (ND) Install Fix to all WebSphere installations unless special instructions are included below. Special Instructions: None NOTE: The user must: * Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V7.0.0.0 or newer of the Update Installer. Certain iFixes may require a newer version of the Update Installer and the Update Installer will inform you during the installation process if a newer version is required. This can be checked by reviewing the level of the Update Installer in file /updateinstaller/version.txt. The Update Installer can be downloaded from the following link: http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991 1) If your iFix is delivered as a single file with a .pak extension, Copy the .pak file directly to the maintenance directory. If your iFix is delivered as a single file with a .zip extension, unzip the file into the maintenance directory. 2) Shutdown WebSphere Application Server. Manually execute setupCmdLine.bat in Windows or . ./setupCmdLine.sh in Unix from the WebSphere instance that maintenance is being applied to. 3) For IBM i users, use the update command to install and uninstall the interim fix. The IBM Information Center can provide additional details, if needed, on the use of this command. http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-iseries&topic=rins_update. For non-IBM i users, launch the Update Installer and click the Next button on the Welcome page. 4) Enter the directory path of the installation location of the WebSphere product you want to update, and click the Next button. 5) Select the "Install maintenance package" operation and click the Next button. 6) Enter the directory path of your maintenance directory where you have the maintenance packages (.pak files) and click the Next button. 7) The Available Maintenance Package to Install page should list all maintenance packages (.pak files) that it finds in the directory path provided in the previous step. The Update Installer will select the correct maintenance packages based on your system configuration and will not allow an invalid combination to be installed. Please keep the Update Installer recommendations and click the Next button and continue with the installation of the maintenance package. To determine why some maintenance packages have been identified as not applicable, see description in log found in /logs/tmp*/updatelogs.txt 8) For all platforms except Windows. In pre-install summary panel, use the "verify permission" feature to verify the user has permissions to apply updates to files associated with the selected maintenance. Correct any file permissions before clicking next to start the install. 9) Restart WebSphere Application Server. Directions to remove fix: NOTE: * The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environments. * FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED * DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED * YOU MAY REAPPLY ANY REMOVED FIX Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied. 1) Shutdown WebSphere Application Server. Manually execute setupCmdLine.bat in Windows or . ./setupCmdLine.sh in Unix from the WebSphere instance that uninstall is being run against. 2) Start Update Installer 3) Enter the installation location of the WebSphere product you want to remove the fix. 4) Select "Uninstall maintenance package" operation. 5) Enter the file name of the maintenance package to uninstall (PKxxxxx.pak). 6) UnInstall maintenance package. 7) Restart WebSphere Directions to re-apply fix: 1) Shutdown WebSphere Application Server. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere Application Server. Additional Information: