IV38516: B3:SVT:REG:ZOSSECURITY.PKCS11:EXCEPTIONININITIALIZERERR IS SEEN

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • Error Message: Following the addition of logic to the PKCS
    SimpleValidator class to check certificates within the
    UntrustedCertificates class, the following exception was seen on
    the z/OS platform whenever the IBMPKCS11Impl security provider
    was in use:
    ERRORS, EXCEPTIONS AND TRACE
    196511--> 195580--> ---------------------------------
    196511--> 195580--> K0319java.lang.ExceptionInInitializerError
    196511--> 195580--> at
    java.lang.J9VMInternals.initialize(J9VMInternals.java:284)
    196511--> 195580--> at
    com.ibm.security.validator.SimpleValidator.engineValidate(Simple
    Validator.java:170)
    196511--> 195580--> at
    com.ibm.security.validator.Validator.validate(Validator.java:257
    )
    196511--> 195580--> at
    com.ibm.security.validator.Validator.validate(Validator.java:233
    )
    196511--> 195580--> at
    com.ibm.security.validator.Validator.validate(Validator.java:202
    )
    196511--> 195580--> at javax.crypto.a.a(Unknown Source)
    196511--> 195580--> at javax.crypto.a.a(Unknown Source)
    196511--> 195580--> at javax.crypto.a.a(Unknown Source)
    196511--> 195580--> at javax.crypto.a.a(Unknown Source)
    196511--> 195580--> at javax.crypto.b.b(Unknown Source)
    196511--> 195580--> at javax.crypto.b.a(Unknown Source)
    196511--> 195580--> at javax.crypto.b.a(Unknown Source)
    196511--> 195580--> at
    javax.crypto.KeyGenerator.getInstance(Unknown Source)
    196511--> 195580--> at
    tests.com.ibm.jtc.zosSec.testDES.main(testDES.java:100)
    196511--> 195580--> Caused by: java.lang.RuntimeException:
    Incorrect untrusted certificate:
    digicert-server-cross-to-cybertrust-4C0E636A
    196511--> 195580--> at
    com.ibm.security.util.UntrustedCertificates.add(UntrustedCertifi
    cates.java:69)
    196511--> 195580--> at
    com.ibm.security.util.UntrustedCertificates.<clinit>(UntrustedCe
    rtificates.java:92)
    196511--> 195580--> at
    java.lang.J9VMInternals.initializeImpl(Native Method)
    196511--> 195580--> at
    java.lang.J9VMInternals.initialize(J9VMInternals.java:262)
    196511--> 195580--> ... 13 more
    196511--> 195580--> Caused by:
    java.security.cert.CertificateException: Unable to initialize,
    java.io.IOException: insufficient data
    196511--> 195580--> at
    com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:260)
    196511--> 195580--> at
    com.ibm.crypto.pkcs11impl.provider.X509Factory.engineGenerateCer
    tificate(X509Factory.java:145)
    196511--> 195580--> at
    java.security.cert.CertificateFactory.generateCertificate(Certif
    icateFactory.java:407)
    196511--> 195580--> at
    com.ibm.security.util.UntrustedCertificates.add(UntrustedCertifi
    cates.java:62)
    196511--> 195580-->
    This error was not seen when the IBM JCE provider was in use.
    .
    Stack Trace: See text above.
    .
    

Local fix

Problem summary

  • Following the addition of logic to the PKCS SimpleValidator
    class to check certificates within the UntrustedCertificates
    class, the following exception was seen on the z/OS platform
    whenever the IBMPKCS11Impl security provider was in use:
    ERRORS, EXCEPTIONS AND TRACE
    196511--> 195580--> ---------------------------------
    196511--> 195580--> K0319java.lang.ExceptionInInitializerError
    196511--> 195580--> at
    java.lang.J9VMInternals.initialize(J9VMInternals.java:284)
    196511--> 195580--> at
    com.ibm.security.validator.SimpleValidator.engineValidate(Simple
    Validator.java:170)
    196511--> 195580--> at
    com.ibm.security.validator.Validator.validate(Validator.java:257
    )
    196511--> 195580--> at
    com.ibm.security.validator.Validator.validate(Validator.java:233
    )
    196511--> 195580--> at
    com.ibm.security.validator.Validator.validate(Validator.java:202
    )
    196511--> 195580--> at javax.crypto.a.a(Unknown Source)
    196511--> 195580--> at javax.crypto.a.a(Unknown Source)
    196511--> 195580--> at javax.crypto.a.a(Unknown Source)
    196511--> 195580--> at javax.crypto.a.a(Unknown Source)
    196511--> 195580--> at javax.crypto.b.b(Unknown Source)
    196511--> 195580--> at javax.crypto.b.a(Unknown Source)
    196511--> 195580--> at javax.crypto.b.a(Unknown Source)
    196511--> 195580--> at
    javax.crypto.KeyGenerator.getInstance(Unknown Source)
    196511--> 195580--> at
    tests.com.ibm.jtc.zosSec.testDES.main(testDES.java:100)
    196511--> 195580--> Caused by: java.lang.RuntimeException:
    Incorrect untrusted certificate:
    digicert-server-cross-to-cybertrust-4C0E636A
    196511--> 195580--> at
    com.ibm.security.util.UntrustedCertificates.add(UntrustedCertifi
    cates.java:69)
    196511--> 195580--> at
    com.ibm.security.util.UntrustedCertificates.<clinit>(UntrustedCe
    rtificates.java:92)
    196511--> 195580--> at
    java.lang.J9VMInternals.initializeImpl(Native Method)
    196511--> 195580--> at
    java.lang.J9VMInternals.initialize(J9VMInternals.java:262)
    196511--> 195580--> ... 13 more
    196511--> 195580--> Caused by:
    java.security.cert.CertificateException: Unable to initialize,
    java.io.IOException: insufficient data
    196511--> 195580--> at
    com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:260)
    196511--> 195580--> at
    com.ibm.crypto.pkcs11impl.provider.X509Factory.engineGenerateCer
    tificate(X509Factory.java:145)
    196511--> 195580--> at
    java.security.cert.CertificateFactory.generateCertificate(Certif
    icateFactory.java:407)
    196511--> 195580--> at
    com.ibm.security.util.UntrustedCertificates.add(UntrustedCertifi
    cates.java:62)
    196511--> 195580-->
    This error was not seen when the IBM JCE provider was in use.
    

Problem conclusion

  • This defect will be fixed in:
    7.0.0 SR5
    6.0.1 SR6
    6.0.0 SR14
    5.0.0 SR17
    .
    The IBM JCE security component had included special certificate
    processing logic unique to the z/OS platform within the
    X509Factory.engineGenerateCertificate( ) method.
    This enabled the IBM JCE provider to parse/instantiate the
    certificates within the UntrustedCertificates class when the
    IBMPKCS11Impl provider could not.
    This logic was not present within the corresponding
    X509Factory.engineGenerateCertificate( ) method within the
    IBMPKCS11Impl provider.
    It has now been added to resolve this error.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV38516

  • Reported component name

    JAVA 5 SECURITY

  • Reported component ID

    620500125

  • Reported release

    500

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-03-21

  • Closed date

    2013-03-22

  • Last modified date

    2013-03-22

  • APAR is sysrouted FROM one or more of the following:

    IV38515

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    JAVA 5 SECURITY

  • Fixed component ID

    620500125

Applicable component levels

  • R500 PSY

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Runtimes for Java Technology
Security

Software version:

5.0

Reference #:

IV38516

Modified date:

2013-03-22

Translate my page

Machine Translation

Content navigation