JCE Certificate Expiration Problem
 Technote (FAQ)
 
Problem
In WebSphere® Application Server versions 4.0 and 5.0, the IBM JCE that is shipped in the ibmjceprovider.jar file will fail to work after May 18, 2006 at 21:59:19 GMT.
 
Cause
1. This problem only occurs on IBM JVM versions 1.2 and 1.3 where ibmjcefw.jar is dated prior to 040219 in the manifest file.
2. If you are running IBM JVM versions 1.2 or 1.3 ibmjcefw.jar file which is dated 040219 or later you will be unaffected by the certificate expiration issue.
3. If you are running IBM JVM versions 1.4 you will be unaffected by the certificate expiration issue.

WebSphere Application Server users who are using signed jars in deployed applications will be affected as the Java Cryptography Extension (JCE) has changed its signed jar verification routine to accept signed jars with legitimate certificates even if the certificate has expired. As a result, JCE services will not be disrupted even if the signer's certificate for a JCE provider has expired.
 
Solution
By applying the latest JCE cumulative fix, JCE will ignore the expiration of a certificate completely, it is not even checked. Therefore, JCE services will never be disrupted even if the signer's certificate for a JCE provider has expired. Signed jar verification routine will now accept signed jars with legitimate certificates even if the certificate has expired.

For versions 5.0 users, this fix is contained in: PQ85933 (included in 5.0.2.5 cumulative fix)
For versions 4.0 users, this fix is contained in: PQ91005
 
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Security
Operating system(s): Windows
Software version: 5.0.2.4
Software edition:
Reference #: 1212932
IBM Group: Software Group
Modified date: May 10, 2006