APAR status
Closed as program error.
Error description
Error Message: Various errors can be visable when keys associated with the incorrect provider are returned from the PKCS12 keystore. It was observed that a stack trace described below is possible in the case for example when IBMJCECCA is above the IBMJCE provider in the provider list while using the key with IBMJCE. . Stack Trace: Caused by: java.lang.UnsupportedOperationException: Hardware error, function getModulus has no meaning in hardware at com.ibm.crypto.hdwrCCA.provider.RSAPrivateHWKey.getModulus(RSAPr ivateHWKey.java:215) at com.ibm.crypto.provider.RSAKeyFactory.engineGetKeySpec(Unknown Source) at com.ibm.crypto.provider.RSAKeyFactory.engineTranslateKey(Unknown Source) at com.ibm.crypto.provider.RSAKeyFactory.toRSAKey(Unknown Source) at com.ibm.crypto.provider.RSASignature.engineInitSign(Unknown Source) at com.ibm.crypto.provider.RSASignature.engineInitSign(Unknown Source) at java.security.Signature$Delegate.engineInitSign(Signature.java:1 182) at java.security.Signature.initSign(Signature.java:533) at com.ibm.security.x509.X509CertImpl.sign(X509CertImpl.java:915) . The earlier versions of IBM SDKs always used the IBMJCE provider to return PKCS12 Keys. In IBM SDK 8, the keys are returned by a JCE provider based on the JCE provider list. If a JCE provider is ahead of IBMJCE, then keys will be returned by that JCE provider. This may result in key objects that may not be consistant with how earlier versions of IBM SDKs are returning the keys.
Local fix
Make IBMJCE provider higher on the list ahead of other JCE providers if possible.
Problem summary
Inconsistency between IBM SDK 8 and earlier versions of IBM SDK in how PKCS12 keystore keys are returned.
Problem conclusion
A change is made to the IBM JCE Provider The associated Hursley RTC Problem Report is 137425 The associated Austin CMVC defect is 117812 JVMs affected: Java 8.0 The fix was delivered for Java 8 SR5FP15 The affected jar is "ibmjceprovider.jar" The build level of this jar for the affected releases is "20180219" The earlier versions of IBM SDKs always used the IBMJCE provider to return PKCS12 Keys. In IBM SDK 8, the keys are returned by a JCE provider based on the JCE provider list. The fixed code ensures that IBMJCE provider will be used to return PKCS12 Keys even if other JCE providers are higher on the JCE provider list. . This APAR will be fixed in the following Java Releases: 8 SR5 FP15 (8.0.5.15) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IJ04911
Reported component name
SECURITY
Reported component ID
620700125
Reported release
270
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-03-13
Closed date
2018-03-13
Last modified date
2018-06-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020