IBM Support

IZ35015: SYMMETRICKEYSET APPEARS TO BE EMPTY WHEN USING HARDWARE CRYPTO WITH KEYS MARKED AS SENSITIVE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Component: EKM

Envt: 3584/LTO4, ekm 20080306, running on AIX

IBM JAVA 150 SR7

The audit log shows that EKM failed to validate any of the keys
in the symmetricKeySet range.  Here is the audit event on
startup of EKM.

Runtime event:[
  timestamp=Tue Aug 26 15:41:13 CDT 2008
  ComponentId=[threadId=Thread[main,5,main]]
  event source=com.ibm.keymanager.EKMServer
  outcome=[result=unsuccessful]
  event type=SECURITY_RUNTIME
  message=No valid DKI Aliases LTO Drives not supported.
ErrorCode= 19
  resource=[name=Add AES or DES symmetric keys to
symmetricKeySet to support LTO drives;type=file]
  action=stop
  ]


There is a bug in the validation of the keys.

Local fix

  • Mark keys as non-sensitive in hardware crypto config

Problem summary

  • EKM using a PKCS11 keystore with the keys marked sensitive does
not add these keys to the list of available keys in the server.

Problem conclusion

  • The problem was fixed in the EKM 2.1 package. Build date
20081020

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.5.3
Created-By: 1.4.2 (IBM Corporation)
Implementation-Version: 2.1
Implementation-Title: Encryption Key Management Server
Implementation-Vendor: IBM Corporation
Build-Level: 2.1-20081020

LDAP Defect 105908.

Temporary fix

  • Workaround:  Mark keys as non-sensitve

Comments

  • 



APAR Information




    

  • APAR number
    IZ35015
    • 

  • Reported component name
    TIV TAPE ENCRY
    • 

  • Reported component ID
    TIVOEKM00
    • 

  • Reported release
    100
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2008-10-16
    • 

  • Closed date
    2008-10-29
    • 

  • Last modified date
    2008-10-29
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    TIV TAPE ENCRY
    • 

  • Fixed component ID
    TIVOEKM00
    • 



Applicable component levels


    

  • R100  PSN
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSC6LF3","label":"EKM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"100","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            29 October 2008
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback