IBM Support

IV79144: THE PKCS11IMPLKS KEYSTORE OF THE IBMPKCS11IMPL PROVIDER FAILS TO RECOGNIZE ALL PRIVATE KEYS PRESENT ON THE CRYPTO HARDWARE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: N/A
    .
    Stack Trace: N/A
    .
    The customer attempted to list the contents of a fresh
    PKCS11IMPLKS keystore instance and found no PrivateKeyEntry's
    listed for the private keys which were present on the crypto
    hardware.
    It is important to note that the customer was using third party
    tools to create these private keys on the crypto hardware
    instead of either the IBMPKCS11Impl provider api, or the keytool
    utility.
    

Local fix

Problem summary

  • When a PrivateKeyEntry is added to a PKCS11IMPLKS keystore using
    either the "IBMPKCS11Impl provider api" or "keytool",
    the PKCS11IMPLKS keystore adds a label/alias to the private key
    added.  This enables the PKCS11IMPLKS keystore to later
    create/load a fresh keystore instance by searching the crypto
    hardware for private keys which contain a label, and to create a
    PrivateKeyEntry for each.  In other words, the PKCS11IMPLKS
    keystore did not attempt to create a PrivateKeyEntry for private
    keys that "did not" contain a label/alias.
    The problem described by this APAR was discovered by a customer
    who was using third party tools to create private key objects
    and certificate objects on the crypto hardware.  The private key
    objects created did not contain a label/alias.  When the
    PKCS11IMPLKS keystore created/loaded a fresh keystore instance
    from these objects, the private keys without labels/aliases were
    ignored.  Therefore, when the customer attempted to list the
    contents of that fresh keystore instance, no PrivateKeyEntry's
    were listed for the private keys.
    

Problem conclusion

  • The Java class which manages the PKCS11IMPLKS keystore has been
    modified to recognize and process all hardware private keys when
    it creates/loads a fresh keystore instance, regardless whether
    the hardware private key contains a label/alias.
    .
    This APAR will be fixed in the following Java Releases:
       6    SR16 FP20 (6.0.16.20)
       6 R1 SR8 FP20  (6.1.8.20)
       8    SR2 FP10  (8.0.2.10)
       7    SR9 FP30  (7.0.9.30)
       7 R1 SR3 FP30  (7.1.3.30)
    .
    Contact your IBM Product's Service Team for these Service
    Refreshes and Fix Packs.
    For those running stand-alone, information about the available
    Service Refreshes and Fix Packs can be found at:
               https://www.ibm.com/developerworks/java/jdk/
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV79144

  • Reported component name

    SECURITY

  • Reported component ID

    620700125

  • Reported release

    600

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2015-11-20

  • Closed date

    2015-11-30

  • Last modified date

    2015-12-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    SECURITY

  • Fixed component ID

    620700125

Applicable component levels

  • R600 PSY

       UP

  • R260 PSY

       UP

  • R270 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
07 December 2020