IBM Support

IJ18573: UPDATE IKEYMAN FOR IBMJCEPLUS, PKCS12 KEYSTORE CORRUPTED AFTER USING IKEYMAN

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: N/A
    .
    Stack Trace: N/A
    .
    

Local fix

Problem summary

  • 1. Update iKeyman for IBMJCEPlus
    Update iKeyman to enable IBMJCEPlus and IBMJCEPlusFIPS
    providers.
    2. PKCS12 keystore corrupted after using iKeyman
    PKCS12 Keystore created using iKeyman and listed via Gsk8capicmd
    shows duplicate entries
    

Problem conclusion

  • 1. Update iKeyman for IBMJCEPlus
    i. Removing the hard-code reference to IBMJCE provider and
    modifying the code to use the new provider name.
    ii. Added a new setting DEFAULT_IBMJCE_PLUS_PROCESSING. If set
    to true, forces the the use of the IBMJCEPlus or IBMJCEPlusFIPS
    Provider. If set to false, uses whichever JCE Provider comes
    first in the java.security file.
    Note. IBMJCEPlus and IBMJCEPlusFIPS providers are not intended
    to be replacements for the IBMJCE or IBMJCEFIPS providers. For
    JKS/JCEKS, PKCS12 keystore generation and X.509 certificate and
    few other operations, iKeyman still uses IBMJCE provider.
    2. PKCS12 keystore corrupted after using iKeyman
    The problem is Java PKCS12 adds the certificate chain associated
    with each key entry as a separate certificate entry. This caused
    duplicate entries in the keystore.
    A fix is in both iKeyman and GSK8capicmd (version 8.0.55.10).
    The fix in iKeyman, is to remove the fix for PMR 31496,001,80
    for PKCS12 keystore that builds certificate chain for each key
    entry.
    The fix in GSK8capicmd is to consider only valid key entries.
    .
    This APAR will be fixed in the following Java Releases:
       8    SR6       (8.0.6.0)
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ18573

  • Reported component name

    SECURITY

  • Reported component ID

    620700125

  • Reported release

    270

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-08-24

  • Closed date

    2019-09-10

  • Last modified date

    2019-09-10

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    SECURITY

  • Fixed component ID

    620700125

Applicable component levels

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
07 December 2020