PM47470: CERTIFICATES HAVE EXPIRED IN WS-SECURITY SAMPLES KEYSTORES

相关文章推荐

爱搭讪的芒果 · 【Maven】maven下载网址进不去处理方 ...· 1 月前 ·

才高八斗的茶叶 · SSD学习笔记 - 啊顺 - 博客园· 1 年前 ·

刚毅的啤酒 · 高效地进行Android ...· 1 年前 ·

踢足球的小熊猫 · 像table一样布局div_51CTO博客_ ...· 1 年前 ·

大力的油条 · org.apache.kafka.clien ...· 1 年前 ·

To return expected results, you can:

Reduce the number of search terms. Each term you use focuses the search further.

Check your spelling. A single misspelled or incorrectly typed term can change your result.

Try substituting synonyms for your original terms. For example, instead of searching for "java classes", try "java training"

Did you search for an IBM acquired or sold product ? If so, follow the appropriate link below to find the content you need.

6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server

We are getting the following error, 10's of thousands of times
(Log is 10 Million lines after a day or so) when a certificate
is about to expire:
CWWSS5189W: The certificate, which is owned by
CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP, uses the
soaprequester alias, and is located in the
/WebSphere/V6R1M0E/AppServer1/profiles/default/etc/ws-security/
samples/dsig-sender.ks keystore,expires in 38 days.
Local fix
Problem summary
****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server V6.1                                 *
****************************************************************
* PROBLEM DESCRIPTION: The certificates in the WS-Security     *
*                      digital signature sample keystores      *
*                      have expired.                           *
****************************************************************
* RECOMMENDATION:  Install a fix pack that includes this APAR  *
****************************************************************
The certificates in the WS-Security digital signature sample
keystores expired on 08/26/2011.  The sample keystores are
dsig-sender.ks, dsig-receiver.ks and intca2.cer and are
located in the <PROFILE_ROOT>/etc/ws-security/samples
directory.
When one of the expired certificates in these keystores is
used by the WS-Security runtime, messages similar to the
following will be logged to the SystemOut.log:
[08/26/11 13:02:03:455 BST]   3f5426 KeyStoreKeyLo E
WSEC5156E: An exception while retrieving the key from KeyStore
object: java.security.cert.CertificateExpiredException:
NotAfter: Fri Aug 26 06:09:12 BST 2011
[8/30/11 15:42:24:198 EDT] 4a7a6588 KeyStoreKeyLo E WSEC5181E:
The certificate (Owner: "[email protected],
CN=SOAP 2.1 Test CA, OU=TRL, O=IBM, L=Yamato, ST=Kanagawa,
C=JP") with alias "soapca" from keystore
"/opt/WebSphere/AppServer/etc/ws-security/samples/dsig-
sender.ks
" has expired: java.security.cert.CertificateExpiredException:
NotAfter: Fri Aug 26 01:09:12 EDT 2011 at
com.ibm.security.x509.CertificateValidity.valid(Unknown Source)
If a certificate has is close to expiring, a message similar
to the following will be logged:
[8/30/11 14:07:31:326 EDT] 0000001e KeyStoreManag W
CWWSS5189W: The certificate, which is owned by
CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP, uses the
soaprequester alias, and is located in the
/opt/IBM/WebSphere/AppServer61/profiles/AppSrv02/etc/ws-
security
/samples/dsig-sender.ks keystore, expires in 31 days.
Since the runtime logs the messages each time the certificates
are accessed, it is possible to log the messages excessively.
Problem conclusion
The WS-Security sample digital signature certificates and
encryption keys that are located in the following files are
updated:
dsig-receiver.ks
dsig-sender.ks
enc-receiver.jceks
end-sender.jceks
intca2.cer
When new profiles are created, the new keystores will be used.
Since it is possible that the keystores that are located in
existing profiles had been updated after creation, the
keystores in existing profiles will not be replaced.  Refer to
the following technote for more information on how to update
the sample keystores in existing profiles:
http://www-01.ibm.com/support/docview.wss?uid=swg21507405
The WS-Security runtime is also updated to log the WSEC5156E,
WSEC5181E, and CWWSS5189W messages only once for each
expired/about to expire certificate.
IMPORTANT NOTE:
The signing certificates and encryption keys that are being
replaced by this APAR are used in the JAX-WS and JAX-RPC Web
Services Default Bindings for Web Services Security.  They are
provided for testing/example purposes only and should not be
used on production systems.
The fix for this APAR is currently targeted for inclusion in
fix pack 6.1.0.41.  Please refer to the Recommended Updates
page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PM47470
Reported component name
WEBSERVIC FEATU
Reported component ID
5724J0850
Reported release
61W
Status
CLOSED  PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2011-09-09
Closed date
2011-10-17
Last modified date
2011-10-17
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PM47701 PM47702
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
R61A  PSY
   UP
R61H  PSY
   UP
R61I  PSY
   UP
R61P  PSY
   UP
R61S  PSY
   UP
R61W  PSY
   UP
R61Z  PSY
   UP