IBM Support

IV71425: IKEYMAN/CAPICMD DISCREPANCY & REVIEW CA CERTS INCLUDED IN IKEYMA N & IKEYMAN PROBLEM WITH REISSUED/MULIPATH CERTS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • Error Message: Pb 1.  For keystore (say QMP3C_DOE.kdb), ikeyman
    reports that wmqca is trusted whereas gsk8capicmd says it is not
    trusted.Pb 2. Review new CA certificates : Some new Entrust CA's
    are not in IKeymanPb 3. gsk8capicmd allows all three CA's to be
    added to a keystore, but Ikeyman (8.0.373) replaces the first G5
    cert with the subsequent G5 cert.
    .
    Stack Trace: N/A
    .
    

Local fix

Problem summary

  • Pb 1. QMP3C_DOE.kdb (working) has no deleted records
    andQMP4C_DOE.kdb (not working) has a deleted wmqca record and a
    new one with trusted=false. We discovered that the CMS provider
    does not ignore keystore records that have the "DELETED" flag
    set. The QMP4C_DOE.kdb has the deleted wmqca record that is
    trusted and the non-deleted not-trusted record and ikeyman
    thinks the deleted one is valid. Therefore, gsk8capicmd is
    correct and ikeyman (cmsprovider) is incorrectly reporting that
    cert attribute.Pb 2. Entrust has been using a new CA to issue
    certificates for customers and that these CA's are not in
    iKeyman.Pb 3. iKeyman is treating the cert as a duplicate as it
    has the same public key. This behaviour is not right and not
    inline with gskcapicmd.
    

Problem conclusion

  • Pb 1. The fix is in cmsprovider should not take into account the
    "DELETED" records.Pb 2. The following new Entrust CA's were
    added "Entrust.net Certification Authority (2048) 29", "Entrust
    Root Certification Authority - EC1", "Entrust Root Certification
    Authority - EV", "Entrust Root Certification Authority - G2".Pb
    3. CMS Provider matches entries by comparing the public key, not
    the whole certificate. That makes it treat certs for the same
    keypair as identical which they are not. The proposal is to
    change the code to match the whole cert, same as gsk8capicmd.
    .
    This APAR will be fixed in the following Java Releases:
       6    SR16 FP4  (6.0.16.4)
       7    SR9       (7.0.9.0)
       7 R1 SR3       (7.1.3.0)
       6 R1 SR8 FP4   (6.1.8.4)
       8    SR1       (8.0.1.0)
    .
    Contact your IBM Product's Service Team for these Service
    Refreshes and Fix Packs.
    For those running stand-alone, information about the Service
    Refreshes and Fix Packs can be found at:
               https://www.ibm.com/developerworks/java/jdk/
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV71425

  • Reported component name

    SECURITY

  • Reported component ID

    620700125

  • Reported release

    600

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2015-03-24

  • Closed date

    2015-03-27

  • Last modified date

    2015-03-27

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IV71426

Fix information

  • Fixed component name

    SECURITY

  • Fixed component ID

    620700125

Applicable component levels

  • R600 PSY

       UP

  • R260 PSY

       UP

  • R270 PSY

       UP



Document information

More support for: Runtimes for Java Technology
Security

Software version: 6.0

Reference #: IV71425

Modified date: 27 March 2015