APAR status
Closed as program error.
Error description
Error Message: No visible error messages are seen. . Stack Trace: N/A .
Local fix
Application code that constructs a new com.ibm.crypto.hdwrCCA.provider.WrapperKey class can be modified to avoid ambiguous behavior. When constructing a WrapperKey class the instance of the private key used must not be com.ibm.crypto.hdwrCCA.provider.DSAPrivateHWKey or com.ibm.crypto.hdwrCCA.provider.RSAPrivateHWKey classes.
Problem summary
When using the com.ibm.crypto.hdwrCCA.provider.WrapperKey class to migrate a key object to the IBMJCECCA hardware environment the hardware attributes are only associated with a private key in the case where the key was not already an instance of the com.ibm.crypto.hdwrCCA.provider.RSAPrivateHWKey or com.ibm.crypto.hdwrCCA.provider.DSAPrivateHWKey classes. When using the com.ibm.crypto.hdwrCCA.provider.DSAPrivateHWKey or com.ibm.crypto.hdwrCCA.provider.RSAPrivateHWKey types of keys the hardware attributes were not associated with the key object since these instances of key objects are already bound to the hardware and the IBMJCECCA provider. This behavior provided an incorrect sense of having a set of hardware attributes associated with a key.
Problem conclusion
This defect will be fixed in: 5.0.0 SR15 . Logic was added to the com.ibm.crypto.hdwrCCA.provider.WrapperKey class to restrict what types of keys may be used on its constructor. The com.ibm.crypto.hdwrCCA.provider.DSAPrivateHWKey and com.ibm.crypto.hdwrCCA.provider.RSAPrivateHWKey types of keys are no longer permitted to be used with the com.ibm.crypto.hdwrCCA.provider.WrapperKey class constructor and an exception will be thrown. With the installation of this APAR customers may experience an exception being thrown that is an instance of the Exception class and will contain the message "Cannot construct a WrapperKey from a RSAPrivateHWKey. RSAPrivateHWKey already bound to the hardware." The Java environment variable ibm.ibmjcecca.allowwrapperhwkey is being made available to allow the JVM to fallback to prior invalid behavior when set to true. This option has been made available until user applications can be updated to handle the new exception being thrown, or pass non hardware bound key material to the com.ibm.crypto.hdwrCCA.provider.WrapperKey constructor. To set this environment variable specify the -D option on the java command line similar to the following example "java -Dibm.ibmjcecca.allowwrapperhwkey=true <Application>" It is strongly recommended to only use the fallback option for a limited time, until applications are modified to handle the exception. This new option is only a temporary mechanism and will be removed in a future service refresh. Users of the fallback option will be exposed to the same security vulnerability which existed prior to this APAR.
Temporary fix
See workaround.
Comments
APAR Information
APAR number
IV27267
Reported component name
JAVA 5 SECURITY
Reported component ID
620500125
Reported release
500
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2012-08-30
Closed date
2012-08-30
Last modified date
2012-08-30
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
JAVA 5 SECURITY
Fixed component ID
620500125
Applicable component levels
R500 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020