PQ91005: Need latest build of IBM JCE added to WebSphere Application Serv er | |||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description There has been some concern regarding certificate expiration and how IBM JCE is affected by this issue circulating among JCE exploiters. The issue first arose when a Sun signing certificate was set to expire on July 27, 2005. This issue did/does not affect IBM JCE providers, since the IBM certificate is set to expire May 18, 2006 at 21:59:19 GMT. Only 1.3.1 IBM JDKs were affected by this issue (and 1.2.1 IBM JDKs; some of these were still in use). The 1.4.x series of IBM JDKs is unaffected. . An alert for the issue stated that the Java Security team implemented a fix to ibmjcefw.jar which validates the signature of the provider jar but ignores expiration of the certificate associated with the signature. Exploiters of IBM JCE with build dates (found in the Manifest file in the ibmjcefw.jar) prior to February 19, 2004 (040219) were advised to upgrade their framework jar in order to avoid experiencing problems as a result of the expiring certificate. . It has been noted by a few exploiters that the IBM certificate is set to expire on May 18, 2006, and these exploiters have had similar concerns about experiencing problems with JCE. Again with this issue, for 1.3.1 IBM JDKs (and below), JCE is not bundled with the JDK, so a newer, unaffected ibmjcefw.jar may be obtained from JIM (040219 or newer) Also, the 1.4.x series remains unaffected in this instance as well. In addition, I have been assured that no problems will be encountered when the JVM attempts to load a framework jar signed by an expired certificate. . Exploiters on z/OS should be immune to this issue if they are using 1.3.1 SR 25 or later. . The following technote #1212932 is relevant to this document. http://www-1.ibm.com/support/docview.wss?uid=swg21212932Local fix Problem summary **************************************************************** * USERS AFFECTED: WebSphere Application Server users who are * * using signed jars in deployed applications. * **************************************************************** * PROBLEM DESCRIPTION: Signed jar verification will fail * * after year 2006. * **************************************************************** * RECOMMENDATION: * **************************************************************** The signed jar verification with IBM JCE build 040129 will fail after year 2006. This is due to existing jar files signed with certificates that will expire in 2006.Problem conclusion Signed jar verification routine will now accept signed jars with legitimate certificates even if the certificate has expired.Temporary fix test fix provided.Comments
APAR is sysrouted FROM one or more of the following: PQ85933 APAR is sysrouted TO one or more of the following: Modules/Macros SRLS
|
Document Information |
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ91005
IBM Group: Software Group
Modified date: Oct 24, 2005
(C) Copyright IBM Corporation 2000, 2006. All Rights Reserved.