Fix (APAR):  WAS_Security_12-13-2003_4.0.7-4.0.6-4.0.5-4.0.4-4.0.3-4.0.2-4.0.1_JSSE_cumulative_Fix

Status:  Fix

Release:  4.0.7,4.0.6,4.0.5,4.0.4,4.0.3,4.0.2,4.0.1

Operating System:  All

Supersedes Fixes:  All JSSE fixes prior to 12/13/2004.

CMVC Defect:  PQ82944

Byte size of APAR:  3072254

Date: 2004-02-03

Abstract:  JSSE build 12/13/2004

Description/symptom of problem:  This fix contains IBM JSSE 1.0.3 build 20030707.

Specific WebSphere APARs are listed below.  This only reflects issues reported
by WebSphere customers, however, and is not a comprehensive list of defects
resolved.

PQ72138 WAS4.0.5 and WAS5, KeyManagerFactory can't get the KeyManager.
   In WAS4 + ptf3, the KeyManagerFactory can get KeyManagers
successfully.  But in WAS4 + ptf5 and WAS5, the             
KeyManagerFactory can't                                     
get KeyManagers.                                            
java.lang.ClassCastException: java.lang.Object              
 at com.ibm.net.ssl.b.engineGetKeyManagers(Unknow Source)   
 at com.ibm.net.ssl.KeyManagerFactory.getKeyManagers(Unknow 
Source)                                                     
 at Test.main(Test.java:21)                                 

PQ70127 PROBLEM WITH JSSE: WAS/LDAP SYSTEM HANGS DURING USER AUTHENTICATION USING SSL
   When customer has enabled WAS security with LDAP server via
SSL, entering a valid username and an invalid password        
causes login to hang. Problem occurs only when using SSL. JSSE
to be fixed for resolving issue.                              

PQ75151 SSLHANDSHAKEEXCEPTION UNKNOWN CERTIFICATE ISSUED AFTER JSSE 
        CUMULATIVE FIX DATED 3/17/2003 IS APPLIED                   
After applying the WebSphere Security JSSE r2 Cumulative      
Interim Fix for V4.0.1 - V4.0.5, which uses ibmjsse.jar file  
dated 3/17/2003, the customer now gets the following errors   
in his application server stdout file when trying to display  
a document:                                                   
Error opening Input Stream:                                   
javax.net.ssl.SSLHandshakeException: unknown certificate      
java.lang.NullPointerException                                
The customer can bypass the error if he disables security.    
When the customer tested with ibmjsse.jar file dated 5/16/2003
and the newer version dated 6/6/2003, the problem went away.  
Therefore this APAR is to record the customer symptoms and    
request a WebSphere packaged fixed. Customer is running Sun   
Solaris V5.8 with WebSphere V4.0.4.                           

PQ75151 SSLHANDSHAKEEXCEPTION UNKNOWN CERTIFICATE ISSUED AFTER JSSE 
        CUMULATIVE FIX DATED 3/17/2003 IS APPLIED
After applying the WebSphere Security JSSE r2 Cumulative      
Interim Fix for V4.0.1 - V4.0.5, which uses ibmjsse.jar file  
dated 3/17/2003, the customer now gets the following errors   
in his application server stdout file when trying to display  
a document:                                                   
Error opening Input Stream:                                   
javax.net.ssl.SSLHandshakeException: unknown certificate      
java.lang.NullPointerException                                
The customer can bypass the error if he disables security.    
When the customer tested with ibmjsse.jar file dated 5/16/2003
and the newer version dated 6/6/2003, the problem went away.  
Therefore this APAR is to record the customer symptoms and    
request a WebSphere packaged fixed. Customer is running Sun   
Solaris V5.8 with WebSphere V4.0.4.                           


PQ82944 SSLHANDSHAKEEXCEPTION, SSL CONNECTION, X509V3 CERTIFICATE
        EXTENSIONS, JSSE

The customer received this error when trying to establish an SSL
connection, using JSSE, to a server that utilizes a certificate
with X509v3 certificate extensions.  The program running on the
WebSphere application server is the "client".  The customer
receives the following error:
Error: javax.net.ssl.SSLHandshakeException: unknown certificate
javax.net.ssl.SSLHandshakeException:unknown cerificate
at com.ibm.jsse.JSSESocket.install(Unknown Source)
at com.ibm.jsse.JSSESocket.startHandshake (Unknown Source)
at com.ibm.net.ssl.internal.www.protocol.https.n.e(Unknown
Source)
This problem was fixed with the JSSE build dated 12/13/03.  The
Hursley defect number was 67033.
IBMJSSE Defect:82996 - javax.net.ssl.SSLHandshakeException:
unknown certificate on 1.3.x, when there is a critical extended
key usage extension on the leaf certificate to authenticate the
server a javax.net.ssl.SSLHandshakeException: unknown
certificate will be thrown.  For 1.3.x, will not check to see if
there are any other critical extensions.
The latest IBMJSSE jar can be found on the IBM JIM site:
w3.ibm.com/java
The customer is running WAS 4.0.7 on Solaris 8.
Local Fix: 
Customer is currently running with a temporary ibmjsse.jar file
that they received from the JSSE team.

Directions to apply fix:  1) Create temporary "fix" directory to store the jar file:
   Unix: /tmp/WebSphere/fix
   Windows: c:\temp\WebSphere\fix

2) Copy jar file to the directory

3) Shutdown WebSphere

4)Create a <WASHOME>/Fix directory if one does not already exist

5) Run the jar file with the following command answering questions/prompts as they appear:
   java -jar <jarfile name> -backupJar <WASHOME>/Fix/<jar file name>_backup.jar

6) Restart WebSphere

7) The temp directory may be removed but the jar file should be saved.  Do not remove
	any files created and stored in the <WASHOME>/Fix directory.
   These files are required if a fix is to be removed.

Directions to remove fix:  NOTE:  FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED.  DO NOT REMOVE A FIX UNLESS
 		ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED.  YOU MAY REAPPLY ANY REMOVED FIX.

Example:  If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be
			 removed, fix3 must be removed first, fix2 removed, and fix3 re-applied.


1) Change directory to the fix location (<WASHOME>/Fix).

2) Shutdown WebSphere

3) Run the backup jar file with the following command:
	java -jar <backup_fix#>

4) Restart WebSphere

Directions to re-apply fix:  Follow the instructions for applying a fix.

If the backup files still exist (from the previous fix application), you will be prompted to overwrite.

Answer "yes" at the overwrite prompts.

Additional Information: