Fix (APAR): PQ76313 Status: Test Release: 5.0.2.2,5.0.2,5.0.1,5.0.0 Operating System: All Supersedes Fixes: CMVC Defect: PQ76313 Byte size of APAR: 64437 Date: 2004-01-09 Abstract: Application installation changes the case of the manifest of nested Description/symptom of problem: Application deployment tools will ignore the archive entry META-INF/manifest.mf, creating a new entry having the name META-INF/MANIFEST.MF. This will later cause a security exception to be thrown. (According to the JDK 1.2 documentation, doc guide jar manifest.html, the case of the manifest should be ignored. That is, manifest.mf should be recognized as the archive's manifest. No duplicate MANIFEST.MF entry should be created.) For example, jars that are signed using the Netscape signing tool 1.3 have a manifest named META-INF/manifest.mf. When deploying the signed application a second entry is created, META-INF/MANIFEST.MF. Later, a security exception is thrown from the runtime, for example: java.lang.SecurityException: invalid SHA1 signature file digest for com/in/widgets/q.class at sun.security.util.SignatureFileVerifier.verifySection(SignatureFileVerifier.java:321) at sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:172) at java.util.jar.JarVerifier.processEntry(JarVerifier.java:239) at java.util.jar.JarVerifier.update(JarVerifier.java:194) at java.util.jar.JarFile.initializeVerifier(JarFile.java:251) at java.util.jar.JarFile.getInputStream(JarFile.java:313) at sun.plugin.cache.CachedJarLoader.authenticate(CachedJarLoader.java:504) at sun.plugin.cache.CachedJarLoader.access$600(CachedJarLoader.java:53) at sun.plugin.cache.CachedJarLoader$5.run(CachedJarLoader.java:338) at java.security.AccessController.doPrivileged(Native Method) at sun.plugin.cache.Cache.privileged(Cache.java:219) at sun.plugin.cache.CachedJarLoader.download(CachedJarLoader.java:320) at sun.plugin.cache.CachedJarLoader.load(CachedJarLoader.java:128) at sun.plugin.cache.JarCache.get(JarCache.java:172) at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(CachedJarURLConnection.java:93) at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(CachedJarURLConnection.java:78) at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:580) at sun.misc.URLClassPath$JarLoader.(URLClassPath.java:541) at sun.misc.URLClassPath$3.run(URLClassPath.java:319) at java.security.AccessController.doPrivileged(Native Method) at sun.misc.URLClassPath.getLoader(URLClassPath.java:308) at sun.misc.URLClassPath.getLoader(URLClassPath.java:285) at sun.misc.URLClassPath.getResource(URLClassPath.java:155) at java.net.URLClassLoader$1.run(URLClassLoader.java:190) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:186) at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:134) at sun.plugin.security.PluginClassLoader.findClass(PluginClassLoader.java:168) at java.lang.ClassLoader.loadClass(ClassLoader.java:299) at sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:114) at java.lang.ClassLoader.loadClass(ClassLoader.java:255) at sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:501) at sun.applet.AppletPanel.createApplet(AppletPanel.java:567) at sun.plugin.AppletViewer.createApplet(AppletViewer.java:1778) at sun.applet.AppletPanel.runLoader(AppletPanel.java:496) at sun.applet.AppletPanel.run(AppletPanel.java:293) at java.lang.Thread.run(Thread.java:536) Directions to apply fix: NOTE: YOU MUST FIRST DOWNLOAD THE UPDATE INSTALLER TOOL IN ORDER TO APPLY (INSTALL) A FIX. The Update Installer can be downloaded from the following link: http://www-3.ibm.com/software/webservers/appserv/support/index.html 1) Create a temporary directory to store the fix jar file: UNIX: /tmp/WebSphere/fix Windows: c:\temp\WebSphere\fix 2) Copy the fix jar file into the fix temporary directory. 3) Shutdown WebSphere. 4) Follow the instructions that are packaged with the Update Installer on how to apply (install) the Fix. 5) Restart WebSphere. 6) The temp directory may be removed. Directions to remove fix: NOTE: FIXES MUST BE REMOVED (UNINSTALLED) IN THE REVERSE OF THE ORDER THEY WERE APPLIED (INSTALLED). DO NOT REMOVE AN FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED. YOU MAY REAPPLY ANY REMOVED FIX. Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must first be removed, then fix2 is removed, and then fix3 is re-applied. 1) Shutdown WebSphere. 2) Follow the instructions that are packaged with the Update Installer on how to remove (uninstall) the Fix. 3) Restart WebSphere. Directions to re-apply fix: 1) Shutdown WebSphere. 2) Follow the instructions that are packaged with the Update Installer on how to remove (uninstall) and apply (install) the fix. 3) Restart WebSphere. Additional Information: This fix modifies the behavior of the deployment tooling so to prevent the creation of a duplicate manifest. This in turn allows applications to be deployed correctly. This fix DOES NOT correct applications which were deployed before the fix was applied, that is, which were deployed with a duplicate manifest. Applications which were deployed with a duplicate manifest must be redeployed after applying (installing) this fix. Only applications which were deployed with a duplicate manifest must be redeployed.