IBM Support

IV38516: B3:SVT:REG:ZOSSECURITY.PKCS11:EXCEPTIONININITIALIZERERR IS SEEN

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Error Message: Following the addition of logic to the PKCS
    SimpleValidator class to check certificates within the
    UntrustedCertificates class, the following exception was seen on
    the z/OS platform whenever the IBMPKCS11Impl security provider
    was in use:
    ERRORS, EXCEPTIONS AND TRACE
    196511--> 195580--> ---------------------------------
    196511--> 195580--> K0319java.lang.ExceptionInInitializerError
    196511--> 195580--> at
    java.lang.J9VMInternals.initialize(J9VMInternals.java:284)
    196511--> 195580--> at
    com.ibm.security.validator.SimpleValidator.engineValidate(Simple
    Validator.java:170)
    196511--> 195580--> at
    com.ibm.security.validator.Validator.validate(Validator.java:257
    )
    196511--> 195580--> at
    com.ibm.security.validator.Validator.validate(Validator.java:233
    )
    196511--> 195580--> at
    com.ibm.security.validator.Validator.validate(Validator.java:202
    )
    196511--> 195580--> at javax.crypto.a.a(Unknown Source)
    196511--> 195580--> at javax.crypto.a.a(Unknown Source)
    196511--> 195580--> at javax.crypto.a.a(Unknown Source)
    196511--> 195580--> at javax.crypto.a.a(Unknown Source)
    196511--> 195580--> at javax.crypto.b.b(Unknown Source)
    196511--> 195580--> at javax.crypto.b.a(Unknown Source)
    196511--> 195580--> at javax.crypto.b.a(Unknown Source)
    196511--> 195580--> at
    javax.crypto.KeyGenerator.getInstance(Unknown Source)
    196511--> 195580--> at
    tests.com.ibm.jtc.zosSec.testDES.main(testDES.java:100)
    196511--> 195580--> Caused by: java.lang.RuntimeException:
    Incorrect untrusted certificate:
    digicert-server-cross-to-cybertrust-4C0E636A
    196511--> 195580--> at
    com.ibm.security.util.UntrustedCertificates.add(UntrustedCertifi
    cates.java:69)
    196511--> 195580--> at
    com.ibm.security.util.UntrustedCertificates.<clinit>(UntrustedCe
    rtificates.java:92)
    196511--> 195580--> at
    java.lang.J9VMInternals.initializeImpl(Native Method)
    196511--> 195580--> at
    java.lang.J9VMInternals.initialize(J9VMInternals.java:262)
    196511--> 195580--> ... 13 more
    196511--> 195580--> Caused by:
    java.security.cert.CertificateException: Unable to initialize,
    java.io.IOException: insufficient data
    196511--> 195580--> at
    com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:260)
    196511--> 195580--> at
    com.ibm.crypto.pkcs11impl.provider.X509Factory.engineGenerateCer
    tificate(X509Factory.java:145)
    196511--> 195580--> at
    java.security.cert.CertificateFactory.generateCertificate(Certif
    icateFactory.java:407)
    196511--> 195580--> at
    com.ibm.security.util.UntrustedCertificates.add(UntrustedCertifi
    cates.java:62)
    196511--> 195580-->
    This error was not seen when the IBM JCE provider was in use.
    .
    Stack Trace: See text above.
    .
    

Local fix

Problem summary

  • Following the addition of logic to the PKCS SimpleValidator
    class to check certificates within the UntrustedCertificates
    class, the following exception was seen on the z/OS platform
    whenever the IBMPKCS11Impl security provider was in use:
    ERRORS, EXCEPTIONS AND TRACE
    196511--> 195580--> ---------------------------------
    196511--> 195580--> K0319java.lang.ExceptionInInitializerError
    196511--> 195580--> at
    java.lang.J9VMInternals.initialize(J9VMInternals.java:284)
    196511--> 195580--> at
    com.ibm.security.validator.SimpleValidator.engineValidate(Simple
    Validator.java:170)
    196511--> 195580--> at
    com.ibm.security.validator.Validator.validate(Validator.java:257
    )
    196511--> 195580--> at
    com.ibm.security.validator.Validator.validate(Validator.java:233
    )
    196511--> 195580--> at
    com.ibm.security.validator.Validator.validate(Validator.java:202
    )
    196511--> 195580--> at javax.crypto.a.a(Unknown Source)
    196511--> 195580--> at javax.crypto.a.a(Unknown Source)
    196511--> 195580--> at javax.crypto.a.a(Unknown Source)
    196511--> 195580--> at javax.crypto.a.a(Unknown Source)
    196511--> 195580--> at javax.crypto.b.b(Unknown Source)
    196511--> 195580--> at javax.crypto.b.a(Unknown Source)
    196511--> 195580--> at javax.crypto.b.a(Unknown Source)
    196511--> 195580--> at
    javax.crypto.KeyGenerator.getInstance(Unknown Source)
    196511--> 195580--> at
    tests.com.ibm.jtc.zosSec.testDES.main(testDES.java:100)
    196511--> 195580--> Caused by: java.lang.RuntimeException:
    Incorrect untrusted certificate:
    digicert-server-cross-to-cybertrust-4C0E636A
    196511--> 195580--> at
    com.ibm.security.util.UntrustedCertificates.add(UntrustedCertifi
    cates.java:69)
    196511--> 195580--> at
    com.ibm.security.util.UntrustedCertificates.<clinit>(UntrustedCe
    rtificates.java:92)
    196511--> 195580--> at
    java.lang.J9VMInternals.initializeImpl(Native Method)
    196511--> 195580--> at
    java.lang.J9VMInternals.initialize(J9VMInternals.java:262)
    196511--> 195580--> ... 13 more
    196511--> 195580--> Caused by:
    java.security.cert.CertificateException: Unable to initialize,
    java.io.IOException: insufficient data
    196511--> 195580--> at
    com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:260)
    196511--> 195580--> at
    com.ibm.crypto.pkcs11impl.provider.X509Factory.engineGenerateCer
    tificate(X509Factory.java:145)
    196511--> 195580--> at
    java.security.cert.CertificateFactory.generateCertificate(Certif
    icateFactory.java:407)
    196511--> 195580--> at
    com.ibm.security.util.UntrustedCertificates.add(UntrustedCertifi
    cates.java:62)
    196511--> 195580-->
    This error was not seen when the IBM JCE provider was in use.
    

Problem conclusion

  • This defect will be fixed in:
    7.0.0 SR5
    6.0.1 SR6
    6.0.0 SR14
    5.0.0 SR17
    .
    The IBM JCE security component had included special certificate
    processing logic unique to the z/OS platform within the
    X509Factory.engineGenerateCertificate( ) method.
    This enabled the IBM JCE provider to parse/instantiate the
    certificates within the UntrustedCertificates class when the
    IBMPKCS11Impl provider could not.
    This logic was not present within the corresponding
    X509Factory.engineGenerateCertificate( ) method within the
    IBMPKCS11Impl provider.
    It has now been added to resolve this error.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV38516

  • Reported component name

    JAVA 5 SECURITY

  • Reported component ID

    620500125

  • Reported release

    500

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-03-21

  • Closed date

    2013-03-22

  • Last modified date

    2013-03-22

  • APAR is sysrouted FROM one or more of the following:

    IV38515

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    JAVA 5 SECURITY

  • Fixed component ID

    620500125

Applicable component levels

  • R500 PSY

       UP



Document information

More support for: Runtimes for Java Technology
Security

Software version: 5.0

Reference #: IV38516

Modified date: 2013-03-22