APAR status
Closed as program error.
Error description
Error Message, as reported by customer: JSSE SSLHandshakeException Message: "Error signing certificate verify" during SSL handshake. Stack Trace, if applicable: javax.net.ssl.SSLHandshakeException: Error signing certificate verify at com.ibm.jsse2.j.a(j.java:12) at com.ibm.jsse2.as.a(as.java:118) at com.ibm.jsse2.C.a(C.java:193) at com.ibm.jsse2.D.a(D.java:631) at com.ibm.jsse2.D.a(D.java:139) at com.ibm.jsse2.C.r(C.java:69) at com.ibm.jsse2.C.a(C.java:580) at com.ibm.jsse2.as.a(as.java:512) at com.ibm.jsse2.as.i(as.java:969) at com.ibm.jsse2.as.a(as.java:680) at com.ibm.jsse2.as.startHandshake(as.java:859) at com.ibm.eNetwork.security.ssl.HODJSSEImpl.createSocket(HODJSSEIm pl.java:417) at com.ibm.eNetwork.security.ssl.HODSSLImpl.createSocket(HODSSLImpl .java:233) at com.ibm.eNetwork.security.ssl.HODSSLImpl.createSocket(HODSSLImpl .java:195) at com.ibm.eNetwork.ECL.Transport.initialize_tail2(Transport.java:1 133) at com.ibm.eNetwork.ECL.Transport.initialize_tail(Transport.java:10 68) at com.ibm.eNetwork.ECL.Transport.initialize(Transport.java:991) at com.ibm.eNetwork.ECL.Transport.registerWithThreadManager(Transpo rt.java:689) at com.ibm.eNetwork.ECL.Transport.open(Transport.java:549) at com.ibm.eNetwork.ECL.ECLConnection.StartCommunication(ECLConnect ion.java:1615) at com.ibm.eNetwork.beans.HOD.Session$2.run(Session.java:3198) at com.ibm.eNetwork.HOD.common.ThreadPoolThread.run(HODThread.java: 219) Caused by: java.security.InvalidKeyException: Key is not an RSAPrivateKey at com.ibm.crypto.fips.provider.DatawithRSA.a(Unknown Source) at com.ibm.crypto.fips.provider.DatawithRSA.engineInitSign(Unknown Source) at java.security.SignatureSpi.engineInitSign(SignatureSpi.java:114) at java.security.Signature.initSign(Signature.java:556) at com.ibm.jsse2.aa.a(aa.java:21) at com.ibm.jsse2.x$c.<init>(x$c.java:55) at com.ibm.jsse2.D.a(D.java:692) ... 18 more Other Error Information, as reported by customer: N/A
Local fix
N/A
Problem summary
The com.ibm.security.capi.RSAPrivateKey class was not implementing the java.security.interfaces.RSAPrivateCrtKey as required by the JCEFIPS component. ERROR DESCRIPTION: The customer is using FIPS and CAC and he gets a "javax.net.ssl.SSLHandshakeException: Error signing certificate verify" exception while performing a TLS handshake. Thread-12, handling exception: javax.net.ssl.SSLHandshakeException: Error signing certificate verify SSLHandshakeException Message: Error signing certificate verify javax.net.ssl.SSLHandshakeException: Error signing certificate verify at com.ibm.jsse2.j.a(j.java:12) at com.ibm.jsse2.as.a(as.java:118) at com.ibm.jsse2.C.a(C.java:193) at com.ibm.jsse2.D.a(D.java:631) at com.ibm.jsse2.D.a(D.java:139) at com.ibm.jsse2.C.r(C.java:69) at com.ibm.jsse2.C.a(C.java:580) at com.ibm.jsse2.as.a(as.java:512) at com.ibm.jsse2.as.i(as.java:969) at com.ibm.jsse2.as.a(as.java:680) at com.ibm.jsse2.as.startHandshake(as.java:859) Caused by: java.security.InvalidKeyException: Key is not an RSAPrivateKey at com.ibm.crypto.fips.provider.DatawithRSA.a(Unknown Source) at com.ibm.crypto.fips.provider.DatawithRSA.engineInitSign(Unknown Source) at java.security.SignatureSpi.engineInitSign(SignatureSpi.java:114) at java.security.Signature.initSign(Signature.java:556) at com.ibm.jsse2.aa.a(aa.java:21) at com.ibm.jsse2.x$c.<init>(x$c.java:55) at com.ibm.jsse2.D.a(D.java:692) ... 18 more
Problem conclusion
Updated the com.ibm.security.capi.RSAPrivateKey class to implement the java.security.interfaces.RSAPrivateCrtKey. Also, added the associated getter methods, and mscapi native code, to retrieve the extended CRT signature parameter set. The associated RTC PR is 124608 The associated Austin CMVC defect for Java 8 is 117602 The associated Austin CMVC defect for Java 7 & 727 is 117608 The associated Austin APAR is IV89529 JVMs affected : Java 8 & 7 The fix was delivered for: Java 8 SR4 FP5, Java 7 SR10 FP5, Java 727 SR4 FP5 The affected files: ibmcac.jar, ibmcac.dll (32 & 64 bit versions) The build level of this jar for Java 8 is "20170222" The build level of this jar for Java 7 & 727 is "20170307"
Temporary fix
Comments
APAR Information
APAR number
IV89529
Reported component name
TIV JAVA CRYPTO
Reported component ID
TIVSECJCE
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-09-28
Closed date
2017-03-08
Last modified date
2017-03-08
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TIV JAVA CRYPTO
Fixed component ID
TIVSECJCE
Applicable component levels
R100 PSY
UP
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCZL42","label":"JCE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"100","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
08 March 2017