IBM Support

IZ67832: CUSTOMER CERTIFICATES' CRL DISTRIBUTION POINTS CONTAINS ONLY DN'S RATHER THAN URL'S

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Component: IBM CERTPATH
    ==========
    
    Abstract:    Customer certificates' CRL Distribution Points
    contains only DN's rather than URL's.
    
    Description:
    ============
    
    The customer is generating their own certificates, and
    is, therefore, acting as their own certificate authority. The
    CRL Distribution Points within their certificates carry only a
    DN (directory name).  Such DN's couldbe used only if CertPath
    were supplied with one or more matching LDAPCertStores.
    Unfortunately, CertPath does not currently contain logic to mate
    these DN's to any LDAPCertStores which may have been passed in.
    
    Other Details:
    ==============
    
    This problem affects Java 1.4.2, 5.0, and 6.0.
    The affected jar is ibmcertpathprovider.jar.
    
    The Austin CMVC defects are 109266 and 109276.
    The build level of ibmcertpathprovider.jar for Java 1.4.2 is
    20100111_2.
    The build levels of ibmcertpathprovider.jar for Java 5.0 and 6.0
    are 20100111.
    
    The associated Hursley CMVC defect is 160546.
    

Local fix

  • Level 3 to update
    

Problem summary

  • CRLDistributionPoints typically carry either an LDAP URL
    or an HTTP URL.  The CRLDistributionPoints within this
    customer's certificates
    carry only a DN (a.k.a. distinguished name or directory name).
    These DN's are
    the vehicle that the customer is relying upon to locate all
    CRLs.  Unfortunately, the CertPath
    component is not utilizing this information, and is throwing a
    "revocation status could not
    be determined" exception for each certificate chain
    built/validated.
    
    At least two things are required for CertPath to be able to
    utilize this information:
    1) The caller must supply CertPath with at least one
    LDAPCertStore.
    2) Logic must be added to CertPath to use the supplied DN
    to search the supplied LDAPCertStore(s) for the CRL, and save
    the retrieved
    CRL(s) within its CRL cache.  This logic does not yet exist.
    A fix has been applied to the method  CRSChecker.setCRLCache( )
    .
    
    The customer also had an LDAP object that contained both a
    certificateRevocationList attribute
    and an authorityRevocationList attribute.  The
    authorityRevocationList attribute was to be used
    to determine the revocation status of the intermediate CA
    certificate within the certificate chain
    being validated.  The CertPath.LDAPCertStoreImpl class was not
    requesting the authorityRevocationList'
    attribute from the LDAP server.  This caused CertPath to report
    the revocation status of the
    intermediate CA certificate as "undetermined".   A fix has been
    applied to the LDAPCertStoreImpl
    class to also request the authorityRevocationList attribute, if
    any.
    

Problem conclusion

  • Logic has been added to the CRSChecker.setCRLCache() method and
    to the
    LDAPCertStoreImpl.engineGetCRLs( ) method
    for this problem.
    
    The associated Hursley CMVC defects are 160546 and 160617.
    The associated Austin CMVC defects are 109266, 109276, and
    109292.
    The fix is available in:
    1.4.2 SR13 FP5
    5.0   SR11 FP3
    6.0   SR8  FP1
    
    The Austin CMVC defects are 109266 and 109276.
    The associated Hursley CMVC defect is 160546.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IZ67832

  • Reported component name

    TIV JAVA CERT P

  • Reported component ID

    TIVSECJCP

  • Reported release

    100

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-01-11

  • Closed date

    2010-04-29

  • Last modified date

    2011-04-26

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TIV JAVA CERT P

  • Fixed component ID

    TIVSECJCP

Applicable component levels

  • R100 PSY

       UP

[{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSWKFH","label":"Tivoli Components - Java Security"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"100","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
26 April 2011