APAR status
Closed as program error.
Error description
Error Message: 1. New requirement for -locale <cc> option in iKeyman 2. Certificate chain is not properly generated with JKS keystore 3. Deleting a CA certificate does not remove it from keystore database" is displayed . Stack Trace: N/A .
Local fix
1) Workaround for deleting a CA certificate To delete a CA certifcate, we will need to first delete all the personal certificate signed by CA.
Problem summary
1. New requirement for -locale <cc> option in iKeyman: New requirement for -locale<cc> option to override the locale with the country code (cc) in ikeyman and ikeycmd. 2. Certificate chain issue with JKS keystore Certificate chain configured in JKS keystore, the certificates are stored as single element (chain length =1), it fails to recognize the chain. 3. CA certificate delete issue Deleting a CA certificate does not remove it from the keystore, when there is a personal certificate present signed by that CA certificate. As part of an internal defect fix ('b8506 - PFX import failure') in iKeyman version 8.0.412, iKeyman manually adds the missing signer certificates (CA). Thus, the CA certificate was deleted and added again.
Problem conclusion
1. New requirement for -locale <cc> option in iKeyman: 1) We can set the locale using the following options: Option1: ikeyman.exe/ikeycmd.exe -DDEFAULT_LOCALE=de Option2: ikeyman.exe/ikeycmd.exe -locale de 2) If both the options are present -locale overrides -D ikeyman.exe/ikeycmd.exe -DDEFAULT_LOCALE=de -locale fr 3) If the specified Locale is not found, iKeyman will set the default locale to English 2. Certificate chain issue with JKS keystore The receive certificate command in ikeyman/ikeycmd will build the certificate chain for JKS keystore. 3. CA certificate delete issue Only signer certificate with "" string alias is deleted, extracted from personal certificate and added to the keystore. This can fix the CA certficate delete issue in iKeyman. . This APAR will be fixed in the following Java Releases: 8 SR4 FP5 (8.0.4.5) 7 SR10 FP5 (7.0.10.5) 7 R1 SR4 FP5 (7.1.4.5) 6 SR16 FP45 (6.0.16.45) 6 R1 SR8 FP45 (6.1.8.45) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IV93420
Reported component name
SECURITY
Reported component ID
620700125
Reported release
270
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-02-15
Closed date
2017-02-17
Last modified date
2017-02-17
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
R270 PSY
UP
R260 PSY
UP
R600 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020