APAR status
Closed as program error.
Error description
Error Message, as reported by customer: javax.net.ssl.SSLHandshakeException: Error signing certificate verify when using IBMCAC provider with JSSE Stack Trace, if applicable: Caused by: javax.net.ssl.SSLHandshakeException: Error signing certificate verify at com.ibm.jsse2.k.a(k.java:6) at com.ibm.jsse2.at.a(at.java:572) at com.ibm.jsse2.D.a(D.java:11) at com.ibm.jsse2.E.a(E.java:490) at com.ibm.jsse2.E.a(E.java:245) at com.ibm.jsse2.D.r(D.java:223) at com.ibm.jsse2.D.a(D.java:198) at com.ibm.jsse2.at.a(at.java:649) at com.ibm.jsse2.at.i(at.java:627) at com.ibm.jsse2.at.a(at.java:689) at com.ibm.jsse2.at.startHandshake(at.java:432) Other Error Information, as reported by customer: N/A
Local fix
Disable SHA224 algorithms. In java.security file update the jdk.tls.disabledAlgorithms security property to include SHA224. i.e. jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede, EC keySize < 224, SHA224
Problem summary
IBMCAC provider does not support SHA224 ERROR DESCRIPTION: Error Message: javax.net.ssl.SSLHandshakeException: Error signing certificate verify when using IBMCAC provider with JSSE Stack Trace, if applicable: Caused by: javax.net.ssl.SSLHandshakeException: Error signing certificate verify at com.ibm.jsse2.k.a(k.java:6) at com.ibm.jsse2.at.a(at.java:572) at com.ibm.jsse2.D.a(D.java:11) at com.ibm.jsse2.E.a(E.java:490) at com.ibm.jsse2.E.a(E.java:245) at com.ibm.jsse2.D.r(D.java:223) at com.ibm.jsse2.D.a(D.java:198) at com.ibm.jsse2.at.a(at.java:649) at com.ibm.jsse2.at.i(at.java:627) at com.ibm.jsse2.at.a(at.java:689) at com.ibm.jsse2.at.startHandshake(at.java:432)
Problem conclusion
Disable acceptable of SHA224 when IBMCAC is being used. The associated RTC PR is 136379 The associated Austin CMVC defect is 117763 The associated Austin APAR is IJ02621 JVMs affected : Java 8, 7, and 6 The fix was delivered for: Java 8 SR5 FP10, Java 7 SR10 FP20, Java 727 SR4 FP20, Java 6 SR16 FP60, Java 626 SR8 FP60 The affected jars: ibmjsseprovider2.jar The build level of this jar for the affected releases is "20171207"
Temporary fix
Comments
APAR Information
APAR number
IJ02621
Reported component name
TIVOLI JAVA PKC
Reported component ID
TIVSECPKC
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-12-13
Closed date
2018-02-01
Last modified date
2018-02-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
999
Fix information
Fixed component name
TIVOLI JAVA PKC
Fixed component ID
TIVSECPKC
Applicable component levels
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCZL45","label":"PKCS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"100","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
01 February 2018