Fix (APAR): WAS_Security_12-13-2003_4.0.7-4.0.6-4.0.5-4.0.4-4.0.3-4.0.2-4.0.1_JSSE_cumulative_Fix Status: Fix Release: 4.0.7,4.0.6,4.0.5,4.0.4,4.0.3,4.0.2,4.0.1 Operating System: All Supersedes Fixes: All JSSE fixes prior to 12/13/2004. CMVC Defect: PQ82944 Byte size of APAR: 3072254 Date: 2004-02-03 Abstract: JSSE build 12/13/2004 Description/symptom of problem: This fix contains IBM JSSE 1.0.3 build 20030707. Specific WebSphere APARs are listed below. This only reflects issues reported by WebSphere customers, however, and is not a comprehensive list of defects resolved. PQ72138 WAS4.0.5 and WAS5, KeyManagerFactory can't get the KeyManager. In WAS4 + ptf3, the KeyManagerFactory can get KeyManagers successfully. But in WAS4 + ptf5 and WAS5, the KeyManagerFactory can't get KeyManagers. java.lang.ClassCastException: java.lang.Object at com.ibm.net.ssl.b.engineGetKeyManagers(Unknow Source) at com.ibm.net.ssl.KeyManagerFactory.getKeyManagers(Unknow Source) at Test.main(Test.java:21) PQ70127 PROBLEM WITH JSSE: WAS/LDAP SYSTEM HANGS DURING USER AUTHENTICATION USING SSL When customer has enabled WAS security with LDAP server via SSL, entering a valid username and an invalid password causes login to hang. Problem occurs only when using SSL. JSSE to be fixed for resolving issue. PQ75151 SSLHANDSHAKEEXCEPTION UNKNOWN CERTIFICATE ISSUED AFTER JSSE CUMULATIVE FIX DATED 3/17/2003 IS APPLIED After applying the WebSphere Security JSSE r2 Cumulative Interim Fix for V4.0.1 - V4.0.5, which uses ibmjsse.jar file dated 3/17/2003, the customer now gets the following errors in his application server stdout file when trying to display a document: Error opening Input Stream: javax.net.ssl.SSLHandshakeException: unknown certificate java.lang.NullPointerException The customer can bypass the error if he disables security. When the customer tested with ibmjsse.jar file dated 5/16/2003 and the newer version dated 6/6/2003, the problem went away. Therefore this APAR is to record the customer symptoms and request a WebSphere packaged fixed. Customer is running Sun Solaris V5.8 with WebSphere V4.0.4. PQ75151 SSLHANDSHAKEEXCEPTION UNKNOWN CERTIFICATE ISSUED AFTER JSSE CUMULATIVE FIX DATED 3/17/2003 IS APPLIED After applying the WebSphere Security JSSE r2 Cumulative Interim Fix for V4.0.1 - V4.0.5, which uses ibmjsse.jar file dated 3/17/2003, the customer now gets the following errors in his application server stdout file when trying to display a document: Error opening Input Stream: javax.net.ssl.SSLHandshakeException: unknown certificate java.lang.NullPointerException The customer can bypass the error if he disables security. When the customer tested with ibmjsse.jar file dated 5/16/2003 and the newer version dated 6/6/2003, the problem went away. Therefore this APAR is to record the customer symptoms and request a WebSphere packaged fixed. Customer is running Sun Solaris V5.8 with WebSphere V4.0.4. PQ82944 SSLHANDSHAKEEXCEPTION, SSL CONNECTION, X509V3 CERTIFICATE EXTENSIONS, JSSE The customer received this error when trying to establish an SSL connection, using JSSE, to a server that utilizes a certificate with X509v3 certificate extensions. The program running on the WebSphere application server is the "client". The customer receives the following error: Error: javax.net.ssl.SSLHandshakeException: unknown certificate javax.net.ssl.SSLHandshakeException:unknown cerificate at com.ibm.jsse.JSSESocket.install(Unknown Source) at com.ibm.jsse.JSSESocket.startHandshake (Unknown Source) at com.ibm.net.ssl.internal.www.protocol.https.n.e(Unknown Source) This problem was fixed with the JSSE build dated 12/13/03. The Hursley defect number was 67033. IBMJSSE Defect:82996 - javax.net.ssl.SSLHandshakeException: unknown certificate on 1.3.x, when there is a critical extended key usage extension on the leaf certificate to authenticate the server a javax.net.ssl.SSLHandshakeException: unknown certificate will be thrown. For 1.3.x, will not check to see if there are any other critical extensions. The latest IBMJSSE jar can be found on the IBM JIM site: w3.ibm.com/java The customer is running WAS 4.0.7 on Solaris 8. Local Fix: Customer is currently running with a temporary ibmjsse.jar file that they received from the JSSE team. Directions to apply fix: 1) Create temporary "fix" directory to store the jar file: Unix: /tmp/WebSphere/fix Windows: c:\temp\WebSphere\fix 2) Copy jar file to the directory 3) Shutdown WebSphere 4)Create a /Fix directory if one does not already exist 5) Run the jar file with the following command answering questions/prompts as they appear: java -jar -backupJar /Fix/_backup.jar 6) Restart WebSphere 7) The temp directory may be removed but the jar file should be saved. Do not remove any files created and stored in the /Fix directory. These files are required if a fix is to be removed. Directions to remove fix: NOTE: FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED. DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED. YOU MAY REAPPLY ANY REMOVED FIX. Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied. 1) Change directory to the fix location (/Fix). 2) Shutdown WebSphere 3) Run the backup jar file with the following command: java -jar 4) Restart WebSphere Directions to re-apply fix: Follow the instructions for applying a fix. If the backup files still exist (from the previous fix application), you will be prompted to overwrite. Answer "yes" at the overwrite prompts. Additional Information: