IBM Support

PM48161: INCORRECT CWPKI0013W MESSAGE INDICATING IBMJCEFIPS PROVIDER IS NOT ACTIVE WHEN JAVA.SECURITY.PROPERTIES IS USED

Fixes are available

8.0.0.3: WebSphere Application Server V8.0 Fix Pack 3
7.0.0.23: WebSphere Application Server V7.0 Fix Pack 23
8.0.0.4: WebSphere Application Server V8.0 Fix Pack 4
7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
8.0.0.5: WebSphere Application Server V8.0 Fix Pack 5
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
8.0.0.6: WebSphere Application Server V8.0 Fix Pack 6
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
8.0.0.7: WebSphere Application Server V8.0 Fix Pack 7
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.23: Java SDK 1.6 SR10 FP1 Cumulative Fix for WebSphere
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • When enabling FIPS, and specifying the IBMJCEFIPS provider in a
    java.security file pointed to by the java system property
    java.security.properties
    
    For example:
    
    The control or servant region will show a java sytem property
    java.security.properties pointing to a java.security file in a
    different location.
    
    +BBOJ0077I: java.security.properties = /tmp/java.security
    
    ----
    # List of providers and their preference orders (see above):
    #
    #security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
    security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
    security.provider.2=com.ibm.crypto.provider.IBMJCE
    security.provider.3=com.ibm.jsse.IBMJSSEProvider
    security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.6=com.ibm.security.cert.IBMCertPath
    security.provider.7=com.ibm.security.sasl.IBMSASL
    security.provider.8=com.ibm.security.cmskeystore.CMSProvider
    security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
    security.provider.10=com.ibm.xml.crypto.IBMXMLCryptoProvider
    security.provider.11=com.ibm.xml.enc.IBMXMLEncProvider
    security.provider.12=org.apache.harmony.security.provider.Policy
    Provider
    ----
    
    The following CWPKI0013W message surfaces in both the control
    and servant region since the code does not handle the java
    system property java.security.properties.
    
    Trace: 2011/09/02 13:19:59.569 01 t=6E3A60 c=UNK key=S2
    (13007002)
       ThreadId: 00000000
       FunctionName: com.ibm.ws.ssl.config.FIPSManager
       SourceId: com.ibm.ws.ssl.config.FIPSManager
       Category: WARNING
       ExtendedMessage: BBOO0221W: CWPKI0013W: FIPS is enabled but
    the IBMJCEFIPS provider is not active in the java.security file.
    To ensure FIPS algorithms usage for all WAS process types,
    uncomment the IBMJCEFIPS provider in the java.security file,
    ahead of the IBM JCE, and renumber the provider list in
    sequential order.
    

Local fix

  • Ignore CWPKI0013W message
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server V7.0 and V8.0                        *
    ****************************************************************
    * PROBLEM DESCRIPTION: Enabling Federal Information            *
    *                      Processing Standard(FIPS) using an      *
    *                      alternate                               *
    *                      java.security file incorrectly results  *
    *                      in warning: CWPKI0013W: FIPS is         *
    *                      enabled                                 *
    *                      but the IBMJCEFIPS provider is not      *
    *                      active in the java.security file.       *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When enabling FIPS, and specifying the IBMJCEFIPS provider in a
    java.security file pointed to by the java system property
    java.security.properties
    For example:
    The control or servant region will show a java sytem property
    java.security.properties pointing to a java.security file in a
    different location.
    +BBOJ0077I: java.security.properties = /tmp/java.security
    ----
    # List of providers and their preference orders (see above):
    #
    #security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
    security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
    security.provider.2=com.ibm.crypto.provider.IBMJCE
    security.provider.3=com.ibm.jsse.IBMJSSEProvider
    security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.6=com.ibm.security.cert.IBMCertPath
    security.provider.7=com.ibm.security.sasl.IBMSASL
    security.provider.8=com.ibm.security.cmskeystore.CMSProvider
    security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
    security.provider.10=com.ibm.xml.crypto.IBMXMLCryptoProvider
    security.provider.11=com.ibm.xml.enc.IBMXMLEncProvider
    security.provider.12=org.apache.harmony.security.provider.Policy
    Provider
    ----
    The following CWPKI0013W message surfaces in both the control
    and servant region since the code does not handle the java
    system property java.security.properties.
    CWPKI0013W: FIPS is enabled but
    the IBMJCEFIPS provider is not active in the java.security
    file.
    To ensure FIPS algorithms usage for all WAS process types,
    uncomment the IBMJCEFIPS provider in the java.security file,
    ahead of the IBM JCE, and renumber the provider list in
    sequential order.
    

Problem conclusion

  • Our code is incorrectly using the java.security file default
    location, WASHOME/java/jre/lib/security. Code has been changed
    to use the location specified in the JVM property
    java.security.properties when specified. We will use this
    location to verify that the security provider
    com.ibm.crypto.fips.provider.IBMJCEFIPS is specified.
    
    APAR PM48161 is currently targeted for inclusion in
    Fix Packs 7.0.0.23 and 8.0.0.3 of WebSphere Application
    Server.
    
    Please refer to URL:
    //www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
    for Fix Pack availability.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM48161

  • Reported component name

    WEBSPHERE FOR Z

  • Reported component ID

    5655I3500

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2011-09-19

  • Closed date

    2011-12-06

  • Last modified date

    2012-06-03

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE FOR Z

  • Fixed component ID

    5655I3500

Applicable component levels

  • R700 PSY UK78616

       UP12/05/26 P F205

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: WebSphere Application Server for z/OS
General

Software version: 7.0

Reference #: PM48161

Modified date: 03 June 2012