APAR status
Closed as program error.
Error description
Error Message: Customers have experienced both of the following exceptions. Both exceptions are indicative of a bad session handle being allocated internally by the IBMPKCS11Impl provider. Caused by: java.security.InvalidKeyException: com.ibm.pkcs11.PKCS11Exception: Session handle is invalid Caused by: java.lang.NullPointerException at com.ibm.crypto.pkcs11impl.provider.Signature.engineInitSign( . Stack Trace: Caused by: java.security.InvalidKeyException: com.ibm.pkcs11.PKCS11Exception: Session handle is invalid at com.ibm.crypto.pkcs11impl.provider.GeneralSignature.engineInitSi gn(GeneralSignature.java:175) at java.security.Signature$Delegate.init(Signature.java:1158) at java.security.Signature$Delegate.chooseProvider(Signature.java:1 119) at java.security.Signature$Delegate.engineInitSign(Signature.java:1 184) at java.security.Signature.initSign(Signature.java:533) at org.jcp.xml.dsig.internal.dom.DOMSignatureMethod.sign(DOMSignatu reMethod.java:253) at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignatu re.java:407) ... 87 more Caused by: com.ibm.pkcs11.PKCS11Exception: Session handle is invalid at com.ibm.crypto.pkcs11impl.provider.Session.signInit(Session.java :370) at com.ibm.crypto.pkcs11impl.provider.Signature.engineInitSign(Sign ature.java:198) at com.ibm.crypto.pkcs11impl.provider.GeneralSignature.engineInitSi gn(GeneralSignature.java:167) ... 93 more Also Caused by: java.lang.NullPointerException at com.ibm.crypto.pkcs11impl.provider.Signature.engineInitSign(Sign ature.java:198) ?<OSB>ibmpkcs11impl.jar:8.0 build_20170712<CSB> at com.ibm.crypto.pkcs11impl.provider.GeneralSignature.engineInitSi gn(GeneralSignature.java:167) ?<OSB>ibmpkcs11impl.jar:8.0 build_20170712<CSB> at java.security.Signature$Delegate.init(Signature.java:1158) ?<OSB>?:1.8.0<CSB> at java.security.Signature$Delegate.chooseProvider(Signature.java:1 119) ?<OSB>?:1.8.0<CSB> at java.security.Signature$Delegate.engineInitSign(Signature.java:1 184) ?<OSB>?:1.8.0<CSB> at java.security.Signature.initSign(Signature.java:533) ?<OSB>?:1.8.0<CSB> at org.jcp.xml.dsig.internal.dom.DOMSignatureMethod.sign(DOMSignatu reMethod.java:253) ?<OSB>ibmxmldsigprovider.jar:?<CSB> at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignatu re.java:407) ?<OSB>ibmxmldsigprovider.jar:?<CSB> at com.npower.dpi.services.signature.factory.impl.IBMSignatureProvi der.signXMLDocument(IBMSignatureProvider.java:124) ?<OSB>classes/:?<CSB> ... 86 more .
Local fix
Problem summary
Customers have experienced both of the following exceptions. Both exceptions are indicative of a bad session handle being allocated internally by the IBMPKCS11Impl provider. Caused by: java.security.InvalidKeyException: com.ibm.pkcs11.PKCS11Exception: Session handle is invalid Caused by: java.lang.NullPointerException at com.ibm.crypto.pkcs11impl.provider.Signature.engineInitSig
Problem conclusion
I can see the potential for exhausting the available sessions with today's session manangement logic. I suspect is what is behind the allocation of "invalid" and "null" sessions. I have made modifications to the IBMPKCS11Impl session management logic which will throttle unconstrained session use. The affected jar is ibmpkcs11impl.jar. The build level of that jar is 20171207. The CMVC defect number is 117750. The RTC PR number is 136318 . This APAR will be fixed in the following Java Releases: 8 SR5 FP10 (8.0.5.10) 6 R1 SR8 FP60 (6.1.8.60) 7 R1 SR4 FP20 (7.1.4.20) 6 SR16 FP60 (6.0.16.60) 7 SR10 FP20 (7.0.10.20) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IJ02679
Reported component name
SECURITY
Reported component ID
620700125
Reported release
270
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-12-14
Closed date
2018-01-02
Last modified date
2018-01-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
R270 PSY
UP
R260 PSY
UP
R600 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020