APAR status
Closed as program error.
Error description
Error Message, as reported by customer: java.lang.RuntimeException: Could not create SHA2DRBG Stack Trace, if applicable: java.lang.RuntimeException: Could not create SHA2DRBG at com.ibm.jsse2.vb.f(vb.java:232) at com.ibm.jsse2.sc.engineInit(sc.java:58) at javax.net.ssl.SSLContext.init(SSLContext.java:19) at ServerJsse.initContext(ServerJsse.java:89) at ServerJsse.main(ServerJsse.java:113) Caused by: java.security.NoSuchAlgorithmException: SecureRandom SHA2DRBG implementation not found: at java.security.Provider$Service.newInstance(Provider.java:904) at org.apache.harmony.security.fortress.Engine.getInstance(Engine.j ava:157) at java.security.SecureRandom.getInstance(SecureRandom.java:183) at com.ibm.jsse2.vb.f(vb.java:30) ... 4 more Caused by: java.lang.IllegalAccessException at java.lang.J9VMInternals.newInstanceImpl(Native Method) at java.lang.Class.newInstance(Class.java:1474) at java.security.Provider$Service.newInstance(Provider.java:890) ... 7 more Other Error Information, as reported by customer: The problem happens when com.ibm.jsse2.sp800-131=strict and IBMJCEFIPS is before IBMJCE
Local fix
Put IBMJCE before IBMJCEFIPS in the provider list in java.security
Problem summary
The problem happens because JSSE2 cannot use SHA2DRBG from IBMJCEFIPS provider. ERROR DESCRIPTION: When com.ibm.jsse2.sp800-131=strict , SHA2DRBG is required. If IBMJCEFIPS is put before IBMJCE in the provider list in java.security, SHA2DRBG will be used from IBMJCEFIPS provider. However, the SHA2DRBG is not working in the current IBMJCEFIPS.
Problem conclusion
A fix is made to IBMJSSE2 provider to use algorithm name HASHDRBG to avoid this problem. The associated Hursley CMVC defect is 196130 The associated Austin CMVC defect is 113512 JVMs affected: Java 7 SR3, Java 6 R26 SR4, Java 6 SR12 The fix was delivered for Java 7 SR4 FP1, Java 6 R26 SR5 FP1, Java 6 SR13 FP1 The affected jar is "ibmjsseprovider2.jar". The build level of this jar for the affected releases is "20130208". Update: IBMJCEFIPS has been updated and recertified to correct this problem. Circumvention in IBMJSSE2 no longer required. See APAR IV36044 - fix was delivered for Java 7 SR4 FP1, Java 6 R26 SR5 FP1, Java 6 SR13 FP1
Temporary fix
Comments
APAR Information
APAR number
IV36810
Reported component name
JAVA SECURE SOC
Reported component ID
TIVSECJSS
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-02-14
Closed date
2013-03-08
Last modified date
2013-03-08
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
JAVA SECURE SOC
Fixed component ID
TIVSECJSS
Applicable component levels
R100 PSY
UP
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCZL3Z","label":"JSSE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"100","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
08 March 2013