APAR status
Closed as program error.
Error description
Component: Tivoli EKM Build Level: 20090325 JVM level: 150 SR10 Problem Description: Validation of keys in symmetrickeyset is failing when EKM is using hardware crypto and keys are marked as sensitive. EKM is loading the keystore successfully and is apparently finding the keys. It loops through the symmetricKeySet to validate them, Part of the validation is to check the key length is correct. When the keys are sensitive, EKM cant get the encoded key so it cant determine the size. At this point EKM assumes the keys are the good, but fails to add them to the list of good keys. When it gets to the end of the symmetricKeySet, the good list of keys is 0. If you look further back in the audit log, you will see this message: Runtime event:[ timestamp=Tue Sep 29 12:33:11 CDT 2009 ComponentId=[threadId=Thread[main,5,main]] event source=com.ibm.keymanager.EKMServer outcome=[result=unsuccessful] event type=SECURITY_RUNTIME message=No valid DKI Aliases LTO Drives not supported. ErrorCode= 19 resource=[name=Add AES or DES symmetric keys to symmetricKeySet to support LTO drives;type=file] action=stop ] EKM thinks it has no keys to serve. Other Notes: This defect seems to be a regression of APAR IZ35015.
Local fix
Level 3 to update
Problem summary
Validation of keys in symmetrickeyset is failing when EKM is using hardware crypto and keys are marked as sensitive. EKM is loading the keystore successfully and is apparently finding the keys. It loops through the symmetricKeySet to validate them, Part of the validation is to check the key length is correct. When the keys are sensitive, EKM cant get the encoded key so it cant determine the size. At this point EKM assumes the keys are the good, but fails to add them to th list of good keys. When it gets to the end of the symmetricKeySet, the good list of keys is 0. If you look further back in the audit log, you will see this message: Runtime event:[ timestamp=Tue Sep 29 12:33:11 CDT 2009 ComponentId=[threadId=Thread[main,5,main]] event source=com.ibm.keymanager.EKMServer outcome=[result=unsuccessful] event type=SECURITY_RUNTIME message=No valid DKI Aliases LTO Drives not supported. ErrorCode= 19 resource=[name=Add AES or DES symmetric keys to symmetricKeySet to support LTO drives;type=file] action=stop ] EKM thinks it has no keys to serve.
Problem conclusion
Fixed in IBMKeyManagementServer.jar: Build 20091123 Hursley Defect 159207 1.4.2 sr13-fp4; 5.0 sr12 and 5.0 SR11 FP1; 6.0 sr7
Temporary fix
Comments
APAR Information
APAR number
IZ62548
Reported component name
TIV TAPE ENCRY
Reported component ID
TIVOEKM00
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-10-05
Closed date
2009-11-30
Last modified date
2010-04-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TIV TAPE ENCRY
Fixed component ID
TIVOEKM00
Applicable component levels
R100 PSY
UP
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSC6LF3","label":"EKM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"100","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
29 April 2010