IZ62548: VALIDATION OF KEYS IN SYMMETRICKEYSET IS FAILING WHEN EKM IS USING HARDWARE CRYPTO AND KEYS ARE MARKED AS SENSITIVE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • Component: Tivoli EKM
    
    Build Level: 20090325
    
    JVM level: 150 SR10
    
    Problem Description:
    
    Validation of keys in symmetrickeyset is failing when EKM is
    using hardware crypto and keys are marked as sensitive.
    
    EKM is loading the keystore successfully and is apparently
    finding the keys.  It  loops through the symmetricKeySet to
    validate them,  Part of the validation is to check the key
    length is correct.  When the keys are sensitive, EKM cant get
    the encoded key so it cant determine the size.  At this point
    EKM assumes the keys are the good, but fails to add them to the
    list of good keys.  When it gets to the end of the
    symmetricKeySet, the good list of keys is 0.  If you look
    further back in the audit log, you will see this message:
    
    Runtime event:[
      timestamp=Tue Sep 29 12:33:11 CDT 2009
      ComponentId=[threadId=Thread[main,5,main]]
      event source=com.ibm.keymanager.EKMServer
      outcome=[result=unsuccessful]
      event type=SECURITY_RUNTIME
      message=No valid DKI Aliases LTO Drives not supported.
    ErrorCode= 19
      resource=[name=Add AES or DES symmetric keys to
    symmetricKeySet to support LTO drives;type=file]
      action=stop
      ]
    
    
    EKM thinks it has no keys to serve.
    
    Other Notes: This defect seems to be a regression of APAR
    IZ35015.
    

Local fix

  • Level 3 to update
    

Problem summary

  • Validation of keys in symmetrickeyset is failing when EKM is
    using hardware crypto and keys are marked as sensitive.
    
    EKM is loading the keystore successfully and is apparently
    finding the keys.  It  loops through the symmetricKeySet to
    validate them,  Part of the validation is to check the key
    length is correct.  When the keys are sensitive, EKM cant get
    the encoded key so it cant determine the size.  At this point
    EKM assumes the keys are the good, but fails to add them to th
    list of good keys.  When it gets to the end of the
    symmetricKeySet, the good list of keys is 0.  If you look
    further back in the audit log, you will see this message:
    
    Runtime event:[
      timestamp=Tue Sep 29 12:33:11 CDT 2009
      ComponentId=[threadId=Thread[main,5,main]]
      event source=com.ibm.keymanager.EKMServer
      outcome=[result=unsuccessful]
      event type=SECURITY_RUNTIME
      message=No valid DKI Aliases LTO Drives not supported.
    ErrorCode= 19
      resource=[name=Add AES or DES symmetric keys to
    symmetricKeySet to support LTO drives;type=file]
      action=stop
      ]
    
    
    EKM thinks it has no keys to serve.
    

Problem conclusion

  • Fixed in IBMKeyManagementServer.jar:  Build 20091123
    
    Hursley Defect 159207
    1.4.2 sr13-fp4; 5.0 sr12 and 5.0 SR11 FP1; 6.0 sr7
    

Temporary fix

Comments

APAR Information

  • APAR number

    IZ62548

  • Reported component name

    TIV TAPE ENCRY

  • Reported component ID

    TIVOEKM00

  • Reported release

    100

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2009-10-05

  • Closed date

    2009-11-30

  • Last modified date

    2010-04-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TIV TAPE ENCRY

  • Fixed component ID

    TIVOEKM00

Applicable component levels

  • R100 PSY

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

Tivoli Components - Java Security
EKM

Software version:

100

Reference #:

IZ62548

Modified date:

2010-04-29

Translate my page

Machine Translation

Content navigation