APAR status
Closed as program error.
Error description
Error Message: Some certificates use LDAP CRL endpoint for certificate revocation status validation. When the CRL endpoint is not reachable, a Java thread that performs the CRL validation waits until the underlying network times out, resulting in slow response from the LDAP server. Setting com.sun.jndi.ldap.connect.timeout environment variable and com.ibm.security.crls.timeout system property settings do not have an impact since these values are ignored by the IBM SDK. . Stack Trace: N/A . The issue could result in a slow LDAP server response when LDAP server is not reachable.
Local fix
Disable real-time CRL end points checking if the underlying network timeout value degrades the LDAP server?s response.
Problem summary
While using LDAP CRL, CRL Distribution Point timeout value is ignored.
Problem conclusion
A change is made to the IBM Certification Path Provider The associated Hursley RTC Problem Report is 137442 The associated Austin CMVC defect is 117811 JVMs affected: Java 7.0, Java 727 and Java 8.0 The fix was delivered for Java 7.0 SR10FP25, Java 727 SR4FP25, and Java 8 SR5FP15 The affected jar is "ibmcertpathprovider.jar" The build level of this jar for the affected releases is "20180307" The JVM has been updated to respond to time out values set by the user while using LDAP Distribution Point for checking Certificate revocation status. A timeout value is set before establishing a connection with LDAP server that is being used as. a CRL Distribution Point. The timeout value is determined as follows: The SDK first uses the environment property com.sun.jndi.ldap.connect.timeout. If the environment variable is not set, the SDK uses the com.ibm.security.crls.timeout system property. If the both the environment variable and the system property are not set, then the SDK uses a default timeout value of 15 seconds. . This APAR will be fixed in the following Java Releases: 8 SR5 FP15 (8.0.5.15) 7 R1 SR4 FP25 (7.1.4.25) 7 SR10 FP25 (7.0.10.25) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IJ04910
Reported component name
SECURITY
Reported component ID
620700125
Reported release
270
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-03-13
Closed date
2018-03-23
Last modified date
2018-06-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020