Alert - IBM Java Upgrade May Cause SiteMinder Component to Fail

SITEMINDER -POLICY SERVER

18231

08 June 2021

08 June 2021

Dear CA Customer:

 

What follows is a notification first published on May 10th.  The distribution list the first publication was sent to was a shortened version of the full distribution list this notification was intended for.   This instance of the message is being sent to a broader notification distribution list.  The message content is unchanged from May 10th.

 

May 10, 2021

It has come to our attention that some SiteMinder components will fail to function after an upgrade of the IBM-specific java version on the WebSphere platform on which the SiteMinder component is also running.   This notice outlines the details of this issue, provides guidance for potentially avoiding the issue, and outlines additional actions Broadcom is taking.   Please read the notice carefully.

Details on when a failure will occur:

    1. On what platform does the failure occur
      • The failure will only occur on the IBM WebSphere and IBM WebSphere Liberty platforms
    2. SiteMinder components which may fail
      • SiteMinder Application Server Agent for WebSphere that have version numbers prior to 12.8.
      • Any derivative works of the SiteMinder Java SDK that were developed with a version of the SDK prior to the 12.8 version and then deployed on WebSphere or WebSphere Liberty. Derivative works affected could be custom code built by customers or code built with the SDK by technology partners for the purposes of integrating with SiteMinder.
    3. When these components will fail
      • If the IBM Java version running on WebSphere or WebSphere Liberty is upgraded to a version of IBM Java that is 8.0.6.25 or higher.
    4. The cause of the failure
      • The 8.0.6.25 version of IBM Java has uniquely introduced a change in certificate validation that changed the list of trusted providers for digital certificates when .jar files are loaded. For the Application Server Agent the impacted jar file is sm_crypto.jar.  For a derivative work of the SiteMinder Java SDK, the jar file is crypto.jar. These files include a certificate that is not on the trusted provider list in IBM Java 8.0.6.25 and higher versions.   As a result, the jar will not run on the same system as the most recent version of IBM Java.  

 

What you should do.

    1. If you use the SiteMinder Application Server Agent for WebSphere.

There are two general paths you could use to avoid the issue.  One is to plan to deploy the SiteMinder 12.8 Agent for WebSphere in place of the older SiteMinder agent where this issue occurs or could occur.  A second path you could use is to avoid the issue is to configure access to a WebSphere hosted application by configuring the use of federation (SAML or OIDC) to the WebSphere environment.    

      2. If you have used the SiteMinder Java SDK to generate a derivative work running on the WebSphere platform, you again will have two choices.

One choice will be to deploy AdoptOpen JDK to the WebSphere platform and configure the derivative work to use that java instance.   A second option will need to recompile that derivative work using the newer SiteMinder 12.8 Java SDK.    

 

 

FAQ:

Q1:  You mentioned this issue only occurs with IBM Java, have you tested your components on other java application server platforms to confirm this is an IBM-specific issue?

A1: Yes we have and it is only observed with IBM Java.

 

Q2: Did you (Broadcom) raise this issue with IBM?

A2: Yes we did.   We pointed out the change in behavior that started with 8.0.6.25.   We do not currently expect IBM to revert their Java code to the historical behavior (prior 8.0.6.25).

 

Q3: If we do not upgrade the version of IBM Java to 8.0.6.25 or higher, will we experience the noted issue?

A3: No.

 

Q4: I am running a version of the SiteMinder Policy Server that is less than 12.8.  The remedy you propose for the Application Server Agent is to run the 12.8 version of the WebSphere Agent.   Can I do that with an earlier version of the Policy Server?

A4:  Yes, to resolve this issue, we have tested the 12.8 version of the WebSphere Application Server agent with earlier versions of the SiteMinder Policy Server.   We will provide full support of the Agent (specifically) on earlier versions of SiteMinder Policy Servers.   SiteMinder Policy Servers that are earlier than 12.8 are outside of their mainstream support period.  No change to support policy for those EOS’d Policy Servers is implied by this notice.

 

Q5: I am running a version of the SiteMinder Policy Server that is less than 12.8.  The remedy you propose for derivative works of the SiteMinder Java SDK is to rebuild with the 12.8 version of the SDK.   Can I do that and use the derivative work on a WebSphere platform to communicate with an earlier version of the Policy Server?

A5:  Yes, to resolve this issue we will provide full support of the SDK in that configuration.  SiteMinder Policy Servers that are earlier than 12.8 are outside of their mainstream support period.  No change to support policy for those EOS’d Policy Servers is implied by this notice.

 

Q6: I noticed there is no mention of the Web Agent Option Pack if it is running on WebSphere.   Is that impacted by this issue?

A6: No, it is not.

 

Q7: I looked at the platform support matrix for the 12.8 version of the application server agent for WebSphere and I don’t see the combination (version of WebSphere on a specific operating system) that I need.   What should I do?

A7: We have executed certifications of our Agent on older versions of WebSphere (Example:  8.5.5) and will be executing more certifications to cover additional platforms where you will need the 12.8 version of the Agent to run.   If you do not see a combination that your organization needs covered, please open an enhancement request with the necessary combination by navigating to the SiteMinder idea community site and open your request for your combination.  That request location will be monitored on a daily basis for the near term.  Follow these steps:

  1. Navigate to https://community.broadcom.com/home
  2. Log in
  3. Select “Ideas” from the menu options towards the top of the screen
  4. Select the “Add” on the upper right side of the screen
  5. Enter your request details including version of WebSphere and version of operating system. Select the “Symantec Access Management” from the Category pull down menu.
  6. Click “Save”

 

Q8: I am not sure whether the resolution paths you have outlined will work for me.  What should I do?

A8: Please contact Broadcom Customer Support https://support.broadcom.com/contact-support.html.