IV71425: IKEYMAN/CAPICMD DISCREPANCY & REVIEW CA CERTS INCLUDED IN IKEYMA N & IKEYMAN PROBLEM WITH REISSUED/MULIPATH CERTS
Closed as program error.
Error Message: Pb 1. For keystore (say QMP3C_DOE.kdb), ikeyman reports that wmqca is trusted whereas gsk8capicmd says it is not trusted.Pb 2. Review new CA certificates : Some new Entrust CA's are not in IKeymanPb 3. gsk8capicmd allows all three CA's to be added to a keystore, but Ikeyman (8.0.373) replaces the first G5 cert with the subsequent G5 cert. . Stack Trace: N/A .
Pb 1. QMP3C_DOE.kdb (working) has no deleted records andQMP4C_DOE.kdb (not working) has a deleted wmqca record and a new one with trusted=false. We discovered that the CMS provider does not ignore keystore records that have the "DELETED" flag set. The QMP4C_DOE.kdb has the deleted wmqca record that is trusted and the non-deleted not-trusted record and ikeyman thinks the deleted one is valid. Therefore, gsk8capicmd is correct and ikeyman (cmsprovider) is incorrectly reporting that cert attribute.Pb 2. Entrust has been using a new CA to issue certificates for customers and that these CA's are not in iKeyman.Pb 3. iKeyman is treating the cert as a duplicate as it has the same public key. This behaviour is not right and not inline with gskcapicmd.
Pb 1. The fix is in cmsprovider should not take into account the "DELETED" records.Pb 2. The following new Entrust CA's were added "Entrust.net Certification Authority (2048) 29", "Entrust Root Certification Authority - EC1", "Entrust Root Certification Authority - EV", "Entrust Root Certification Authority - G2".Pb 3. CMS Provider matches entries by comparing the public key, not the whole certificate. That makes it treat certs for the same keypair as identical which they are not. The proposal is to change the code to match the whole cert, same as gsk8capicmd. . This APAR will be fixed in the following Java Releases: 6 SR16 FP4 (220.127.116.11) 7 SR9 (18.104.22.168) 7 R1 SR3 (22.214.171.124) 6 R1 SR8 FP4 (126.96.36.199) 8 SR1 (188.8.131.52) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Reported component name
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
Fixed component ID
Applicable component levels