IBM Support

IV36810: JSSE2 CANNOT USE SHA2DRBG FROM IBMJCEFIPS PROVIDER

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Error Message, as reported by customer:
    java.lang.RuntimeException: Could not create SHA2DRBG
    
    Stack Trace, if applicable:
    java.lang.RuntimeException: Could not create SHA2DRBG
            at com.ibm.jsse2.vb.f(vb.java:232)
            at com.ibm.jsse2.sc.engineInit(sc.java:58)
            at javax.net.ssl.SSLContext.init(SSLContext.java:19)
            at ServerJsse.initContext(ServerJsse.java:89)
            at ServerJsse.main(ServerJsse.java:113)
    Caused by: java.security.NoSuchAlgorithmException: SecureRandom
    SHA2DRBG implementation not found:
            at
    java.security.Provider$Service.newInstance(Provider.java:904)
            at
    org.apache.harmony.security.fortress.Engine.getInstance(Engine.j
    ava:157)
            at
    java.security.SecureRandom.getInstance(SecureRandom.java:183)
            at com.ibm.jsse2.vb.f(vb.java:30)
            ... 4 more
    Caused by: java.lang.IllegalAccessException
            at java.lang.J9VMInternals.newInstanceImpl(Native
    Method)
            at java.lang.Class.newInstance(Class.java:1474)
            at
    java.security.Provider$Service.newInstance(Provider.java:890)
            ... 7 more
    
    
    Other Error Information, as reported by customer:
    The problem happens when com.ibm.jsse2.sp800-131=strict and
    IBMJCEFIPS is before IBMJCE
    

Local fix

  • Put IBMJCE before IBMJCEFIPS in the provider list in
    java.security
    

Problem summary

  • The problem happens because JSSE2 cannot use SHA2DRBG from
    IBMJCEFIPS provider.
    
    ERROR DESCRIPTION:
    When com.ibm.jsse2.sp800-131=strict , SHA2DRBG is required. If
    IBMJCEFIPS is put before IBMJCE in the provider list in
    java.security, SHA2DRBG will be used from IBMJCEFIPS provider.
    However, the SHA2DRBG is not working in the current IBMJCEFIPS.
    

Problem conclusion

  • A fix is made to IBMJSSE2 provider to use algorithm name
    HASHDRBG to avoid this problem.
    
    The associated Hursley CMVC defect is 196130
    The associated Austin CMVC defect is 113512
    
    JVMs affected: Java 7 SR3, Java 6 R26 SR4, Java 6 SR12
    
    The fix was delivered for Java 7 SR4 FP1, Java 6 R26 SR5 FP1,
    Java 6 SR13 FP1
    
    The affected jar is "ibmjsseprovider2.jar".
    The build level of this jar for the affected releases is
    "20130208".
    
    Update:  IBMJCEFIPS has been updated and recertified to correct
    this problem.  Circumvention in IBMJSSE2 no longer required.
    See APAR IV36044 - fix was delivered for Java 7 SR4 FP1, Java 6
    R26 SR5 FP1, Java 6 SR13 FP1
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV36810

  • Reported component name

    JAVA SECURE SOC

  • Reported component ID

    TIVSECJSS

  • Reported release

    100

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-02-14

  • Closed date

    2013-03-08

  • Last modified date

    2013-03-08

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    JAVA SECURE SOC

  • Fixed component ID

    TIVSECJSS

Applicable component levels

  • R100 PSY

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCZL3Z","label":"JSSE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"100","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
08 March 2013