SOAP Web Services Fail After WebSphere Liberty Patched

December 5, 2022 Timothy Prickett Morgan

If you had not yet gotten around to putting the October 2022 HTTP Group PTF patches for the WebSphere Liberty web application server on your IBM i system, that may turn out to be a fortunate thing. There is something wonky about SOAP web services running in conjunction with Integrated Web Services (IWS v2.6) and Integrated Application Server (IAS v8.5) middleware on the IBM i platform that is causing SOAP fault errors.

This error is documented here by IBM, and the techies that we know are trying to figure out the full extent of the issue. Doug Bidwell, our intrepid system engineer pal who puts together the IBM i PTF Guide every week, strongly suspects that Access Client Solutions will be one of the tools that is impacted bigtime by this SOAP bubble.

“This issue affects all platforms and is introduced with the IBM WebSphere Application Server Liberty 22.0.0.8 and later fix pack levels,” IBM writes in the document. “This includes the 22.0.0.9 Liberty fix pack level installed with the October 2022 IBM i HTTP Group PTF level.”

WebSphere Liberty edition is bundled in the IBM i platform as the core application server and is the main runtime environment for the IBM i Administration Server, IBM i Integrated Application Server, and IBM i Integrated Web Services components. With the latest round of patches to WebSphere Liberty, this software was updated from Liberty 22.0.0.6 to Liberty 22.0.0.9. And this is a tricky issue, as IBM explains:

“One of the current workarounds is to remove the latest IBM i OS Liberty 22.0.0.9 update PTF to rollback the 22.0.0.9 Liberty fix pack to 22.0.0.6.” says IBM. “With the IBM i PTF structure, updating the IBM i OS Liberty runtime to apply security fixes beyond the 22.0.0.9 fix pack level would result in permanently applying the 22.0.0.9 fix pack. This would prevent rolling back the 22.0.0.9 fix pack to resolve this issue.”

That is a Catch-22, or rather, a Catch-22.0.0.9 to be precise. If customers rollback to Liberty 22.0.0.7, then critical security fixes that remediate against CVE-2022-22476 and CVE-2019-11777 vulnerabilities will be removed. And updating the client SOAP envelopes is not exactly practical for customers that might have hundreds or even thousands of SOAP web services clients that need to be updated with a workaround inside of SOAP.

As of November 29, IBM was working on the issue and developing a proper fix. We will keep you updated.

RELATED STORIES

IBM Encourages IAS and IWS Users to Move to Java 8

Db2 PTF Group Enhancements Target Web Services, Audit Journal

So You Want To Do Containerized Microservices In the Cloud?

Monoliths, Microservices, And IBM i Modernization: Part 1

Modernizing IBM i Apps with Microservices

RPG, XML, SOAP, and REST: Web Services for IBM i