IBM Support

IV38515: B3:SVT:REG:ZOSSECURITY.PKCS11:EXCEPTIONININITIALIZERERR IS SEEN

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: Following the addition of logic to the PKCS
SimpleValidator class to check certificates within the
UntrustedCertificates class, the following exception was seen on
the z/OS platform whenever the IBMPKCS11Impl security provider
was in use:
ERRORS, EXCEPTIONS AND TRACE
196511--> 195580--> ---------------------------------
196511--> 195580--> K0319java.lang.ExceptionInInitializerError
196511--> 195580--> at
java.lang.J9VMInternals.initialize(J9VMInternals.java:284)
196511--> 195580--> at
com.ibm.security.validator.SimpleValidator.engineValidate(Simple
Validator.java:170)
196511--> 195580--> at
com.ibm.security.validator.Validator.validate(Validator.java:257
)
196511--> 195580--> at
com.ibm.security.validator.Validator.validate(Validator.java:233
)
196511--> 195580--> at
com.ibm.security.validator.Validator.validate(Validator.java:202
)
196511--> 195580--> at javax.crypto.a.a(Unknown Source)
196511--> 195580--> at javax.crypto.a.a(Unknown Source)
196511--> 195580--> at javax.crypto.a.a(Unknown Source)
196511--> 195580--> at javax.crypto.a.a(Unknown Source)
196511--> 195580--> at javax.crypto.b.b(Unknown Source)
196511--> 195580--> at javax.crypto.b.a(Unknown Source)
196511--> 195580--> at javax.crypto.b.a(Unknown Source)
196511--> 195580--> at
javax.crypto.KeyGenerator.getInstance(Unknown Source)
196511--> 195580--> at
tests.com.ibm.jtc.zosSec.testDES.main(testDES.java:100)
196511--> 195580--> Caused by: java.lang.RuntimeException:
Incorrect untrusted certificate:
digicert-server-cross-to-cybertrust-4C0E636A
196511--> 195580--> at
com.ibm.security.util.UntrustedCertificates.add(UntrustedCertifi
cates.java:69)
196511--> 195580--> at
com.ibm.security.util.UntrustedCertificates.<clinit>(UntrustedCe
rtificates.java:92)
196511--> 195580--> at
java.lang.J9VMInternals.initializeImpl(Native Method)
196511--> 195580--> at
java.lang.J9VMInternals.initialize(J9VMInternals.java:262)
196511--> 195580--> ... 13 more
196511--> 195580--> Caused by:
java.security.cert.CertificateException: Unable to initialize,
java.io.IOException: insufficient data
196511--> 195580--> at
com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:260)
196511--> 195580--> at
com.ibm.crypto.pkcs11impl.provider.X509Factory.engineGenerateCer
tificate(X509Factory.java:145)
196511--> 195580--> at
java.security.cert.CertificateFactory.generateCertificate(Certif
icateFactory.java:407)
196511--> 195580--> at
com.ibm.security.util.UntrustedCertificates.add(UntrustedCertifi
cates.java:62)
196511--> 195580-->
This error was not seen when the IBM JCE provider was in use.
.
Stack Trace: See text above.
.

Local fix

  • 



Problem summary


    

  • Following the addition of logic to the PKCS SimpleValidator
class to check certificates within the UntrustedCertificates
class, the following exception was seen on the z/OS platform
whenever the IBMPKCS11Impl security provider was in use:
ERRORS, EXCEPTIONS AND TRACE
196511--> 195580--> ---------------------------------
196511--> 195580--> K0319java.lang.ExceptionInInitializerError
196511--> 195580--> at
java.lang.J9VMInternals.initialize(J9VMInternals.java:284)
196511--> 195580--> at
com.ibm.security.validator.SimpleValidator.engineValidate(Simple
Validator.java:170)
196511--> 195580--> at
com.ibm.security.validator.Validator.validate(Validator.java:257
)
196511--> 195580--> at
com.ibm.security.validator.Validator.validate(Validator.java:233
)
196511--> 195580--> at
com.ibm.security.validator.Validator.validate(Validator.java:202
)
196511--> 195580--> at javax.crypto.a.a(Unknown Source)
196511--> 195580--> at javax.crypto.a.a(Unknown Source)
196511--> 195580--> at javax.crypto.a.a(Unknown Source)
196511--> 195580--> at javax.crypto.a.a(Unknown Source)
196511--> 195580--> at javax.crypto.b.b(Unknown Source)
196511--> 195580--> at javax.crypto.b.a(Unknown Source)
196511--> 195580--> at javax.crypto.b.a(Unknown Source)
196511--> 195580--> at
javax.crypto.KeyGenerator.getInstance(Unknown Source)
196511--> 195580--> at
tests.com.ibm.jtc.zosSec.testDES.main(testDES.java:100)
196511--> 195580--> Caused by: java.lang.RuntimeException:
Incorrect untrusted certificate:
digicert-server-cross-to-cybertrust-4C0E636A
196511--> 195580--> at
com.ibm.security.util.UntrustedCertificates.add(UntrustedCertifi
cates.java:69)
196511--> 195580--> at
com.ibm.security.util.UntrustedCertificates.<clinit>(UntrustedCe
rtificates.java:92)
196511--> 195580--> at
java.lang.J9VMInternals.initializeImpl(Native Method)
196511--> 195580--> at
java.lang.J9VMInternals.initialize(J9VMInternals.java:262)
196511--> 195580--> ... 13 more
196511--> 195580--> Caused by:
java.security.cert.CertificateException: Unable to initialize,
java.io.IOException: insufficient data
196511--> 195580--> at
com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:260)
196511--> 195580--> at
com.ibm.crypto.pkcs11impl.provider.X509Factory.engineGenerateCer
tificate(X509Factory.java:145)
196511--> 195580--> at
java.security.cert.CertificateFactory.generateCertificate(Certif
icateFactory.java:407)
196511--> 195580--> at
com.ibm.security.util.UntrustedCertificates.add(UntrustedCertifi
cates.java:62)
196511--> 195580-->
This error was not seen when the IBM JCE provider was in use.

    



Problem conclusion


    

  • This defect will be fixed in:
7.0.0 SR5
6.0.1 SR6
6.0.0 SR14
5.0.0 SR17
.
The IBM JCE security component had included special certificate
processing logic unique to the z/OS platform within the
X509Factory.engineGenerateCertificate( ) method.
This enabled the IBM JCE provider to parse/instantiate the
certificates within the UntrustedCertificates class when the
IBMPKCS11Impl provider could not.
This logic was not present within the corresponding
X509Factory.engineGenerateCertificate( ) method within the
IBMPKCS11Impl provider.
It has now been added to resolve this error.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IV38515
    • 

  • Reported component name
    SECURITY
    • 

  • Reported component ID
    620700125
    • 

  • Reported release
    260
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2013-03-21
    • 

  • Closed date
    2013-03-22
    • 

  • Last modified date
    2013-03-22
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
IV38516
    

    • 



Fix information


    

  • Fixed component name
    SECURITY
    • 

  • Fixed component ID
    620700125
    • 



Applicable component levels


    

  • R260  PSY
       UP
    • 

  • R600  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"260","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            07 December 2020
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback