APAR status
Closed as program error.
Error description
Component: IBM CERTPATH ========== Abstract: Customer certificates' CRL Distribution Points contains only DN's rather than URL's. Description: ============ The customer is generating their own certificates, and is, therefore, acting as their own certificate authority. The CRL Distribution Points within their certificates carry only a DN (directory name). Such DN's couldbe used only if CertPath were supplied with one or more matching LDAPCertStores. Unfortunately, CertPath does not currently contain logic to mate these DN's to any LDAPCertStores which may have been passed in. Other Details: ============== This problem affects Java 1.4.2, 5.0, and 6.0. The affected jar is ibmcertpathprovider.jar. The Austin CMVC defects are 109266 and 109276. The build level of ibmcertpathprovider.jar for Java 1.4.2 is 20100111_2. The build levels of ibmcertpathprovider.jar for Java 5.0 and 6.0 are 20100111. The associated Hursley CMVC defect is 160546.
Local fix
Level 3 to update
Problem summary
CRLDistributionPoints typically carry either an LDAP URL or an HTTP URL. The CRLDistributionPoints within this customer's certificates carry only a DN (a.k.a. distinguished name or directory name). These DN's are the vehicle that the customer is relying upon to locate all CRLs. Unfortunately, the CertPath component is not utilizing this information, and is throwing a "revocation status could not be determined" exception for each certificate chain built/validated. At least two things are required for CertPath to be able to utilize this information: 1) The caller must supply CertPath with at least one LDAPCertStore. 2) Logic must be added to CertPath to use the supplied DN to search the supplied LDAPCertStore(s) for the CRL, and save the retrieved CRL(s) within its CRL cache. This logic does not yet exist. A fix has been applied to the method CRSChecker.setCRLCache( ) . The customer also had an LDAP object that contained both a certificateRevocationList attribute and an authorityRevocationList attribute. The authorityRevocationList attribute was to be used to determine the revocation status of the intermediate CA certificate within the certificate chain being validated. The CertPath.LDAPCertStoreImpl class was not requesting the authorityRevocationList' attribute from the LDAP server. This caused CertPath to report the revocation status of the intermediate CA certificate as "undetermined". A fix has been applied to the LDAPCertStoreImpl class to also request the authorityRevocationList attribute, if any.
Problem conclusion
Logic has been added to the CRSChecker.setCRLCache() method and to the LDAPCertStoreImpl.engineGetCRLs( ) method for this problem. The associated Hursley CMVC defects are 160546 and 160617. The associated Austin CMVC defects are 109266, 109276, and 109292. The fix is available in: 1.4.2 SR13 FP5 5.0 SR11 FP3 6.0 SR8 FP1 The Austin CMVC defects are 109266 and 109276. The associated Hursley CMVC defect is 160546.
Temporary fix
Comments
APAR Information
APAR number
IZ67832
Reported component name
TIV JAVA CERT P
Reported component ID
TIVSECJCP
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-01-11
Closed date
2010-04-29
Last modified date
2011-04-26
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TIV JAVA CERT P
Fixed component ID
TIVSECJCP
Applicable component levels
R100 PSY
UP
[{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSWKFH","label":"Tivoli Components - Java Security"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"100","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
26 April 2011