PQ91005: Need latest build of IBM JCE added to WebSphere Application Serv er

 A fix is available

Security JCE Cumulative Fix



APAR status
Closed as program error.

Error description
There has been some concern regarding certificate expiration and
how IBM JCE is affected by this issue circulating among JCE
exploiters. The issue first arose when a Sun signing certificate
was set to expire on July 27, 2005.  This issue did/does not
affect IBM JCE providers, since the IBM certificate is set to
expire May 18, 2006 at 21:59:19 GMT.  Only 1.3.1 IBM JDKs were
affected by this issue (and 1.2.1 IBM JDKs; some of these were
still in use).  The 1.4.x series of IBM JDKs is unaffected.
.
An alert for the issue stated that the Java Security team
implemented a fix to ibmjcefw.jar which validates the signature
of the provider jar but ignores expiration of the certificate
associated with the signature.  Exploiters of IBM JCE with build
dates (found in the Manifest file in the ibmjcefw.jar) prior to
February 19, 2004 (040219) were advised to upgrade their
framework jar in order to avoid experiencing problems as a
result of the expiring certificate.
.
It has been noted by a few exploiters that the IBM certificate
is set to expire on May 18, 2006, and these exploiters have had
similar concerns about experiencing problems with JCE.  Again
with this issue, for 1.3.1 IBM JDKs (and below), JCE is not
bundled with the JDK, so a newer, unaffected ibmjcefw.jar may be
obtained from JIM (040219 or newer)  Also, the 1.4.x series
remains unaffected in this instance as well.  In addition, I
have been assured that no problems will be encountered when the
JVM attempts to load a framework jar signed by an expired
certificate.
.
Exploiters on z/OS should be immune to this issue if they are
using 1.3.1 SR 25 or later.
.
The following technote #1212932 is relevant to this document.

http://www-1.ibm.com/support/docview.wss?uid=swg21212932
Local fix Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users who are   *
*                 using signed jars in deployed applications.  *
****************************************************************
* PROBLEM DESCRIPTION: Signed jar verification will fail       *
*                      after year 2006.                        *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The signed jar verification with IBM JCE build 040129 will
fail after year 2006.  This is due to existing jar files
signed with certificates that will expire in 2006.
Problem conclusion
Signed jar verification routine will now accept signed jars
with legitimate certificates even if the certificate has
expired.
Temporary fix
test fix provided.
Comments
APAR information
APAR number PQ91005
Reported component name WEBSPHERE AE SO
Reported component ID 5630A2202
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2004-07-06
Closed date 2004-07-06
Last modified date 2005-10-24

APAR is sysrouted FROM one or more of the following:
PQ85933

APAR is sysrouted TO one or more of the following:

Modules/Macros

SRLS

Fix information
Fixed component name WEBSPHERE AE SO
Fixed component ID 5630A2202

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ91005
IBM Group: Software Group
Modified date: Oct 24, 2005