APAR status
Closed as program error.
Error description
Error Message: N/A . Stack Trace: Caused by: javax.net.ssl.SSLHandshakeException: Error signing certificate verify at com.ibm.jsse2.j.a(j.java:10) at com.ibm.jsse2.qc.a(qc.java:359) at com.ibm.jsse2.ab.a(ab.java:385) at com.ibm.jsse2.bb.a(bb.java:528) at com.ibm.jsse2.bb.a(bb.java:217) at com.ibm.jsse2.ab.r(ab.java:59) at com.ibm.jsse2.ab.a(ab.java:24) at com.ibm.jsse2.qc.a(qc.java:204) at com.ibm.jsse2.qc.h(qc.java:391) at com.ibm.jsse2.qc.a(qc.java:793) at com.ibm.jsse2.qc.startHandshake(qc.java:280) ... 16 more Caused by: java.security.NoSuchAlgorithmException: no such algorithm: SHA224withRSA for provider IBMJCEFIPS at sun.security.jca.GetInstance.getService(GetInstance.java:99) at sun.security.jca.GetInstance.getInstance(GetInstance.java:218) at java.security.Signature.getInstance(Signature.java:361) at com.ibm.jsse2.lb.c(lb.java:77) at com.ibm.jsse2.xb.<init>(xb.java:20) at com.ibm.jsse2.v$c_.<init>(v$c_.java:10) at com.ibm.jsse2.bb.a(bb.java:210) ... 27 more . The problem happens when SHA224WithRSA was put as the first of "supported signature algorithm" in client authentication request.
Local fix
1. Put the IBMJCEFIPS provider as the 1st in the provider list and set com.ibm.jsse2.usefipsprovider to false. 2. Disable client authentication.
Problem summary
The problem happens because the signature SHA224withRSA, SHA224withECDSA and MD5withRSA which are not supported by IBMJCEFIPS are enabled in JSSE FIPS mode.
Problem conclusion
This defect will be fixed in: 7.0.0 SR4FP2 6.0.1 SR5FP2 6.0.0 SR13FP2 . A fix is made to IBMJSSE2 provider to disable the signature SHA224withRSA, SHA224withECDSA and MD5withRSA in JSSE FIPS mode The associated Hursley CMVC defect is 197096 The associated Austin CMVC defect is 113694 JVMs affected: Java 6.0 SR13FP1, Java 626 SR5FP1 and Java 7.0 SR4FP1. The fix was delivered for Java 6.0 SR13FP2, Java 626 SR5FP2 and Java 7.0 SR4FP2. The affected jar is "ibmjsseprovider2.jar". The build level of this jar for the affected releases is "20130410"
Temporary fix
Comments
APAR Information
APAR number
IV39553
Reported component name
SECURITY
Reported component ID
620700125
Reported release
260
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-04-10
Closed date
2013-04-15
Last modified date
2013-04-15
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
R260 PSY
UP
R600 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"260","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020