APAR status
Closed as program error.
Error description
Error Message: EKM will not start up, receiving the following error: . javax.crypto.BadPaddingException: Given final block not properly padded .at com.ibm.crypto.provider.AESCipher.engineDoFinal(Unknown Source) .at com.ibm.crypto.provider.AESCipher.engineDoFinal(Unknown Source) .at javax.crypto.Cipher.doFinal(Unknown Source) .at com.ibm.keymanager.keygroups.b.a.a(a.java:15) . . Stack Trace: N/A . When changing the keystore password in EKM using the following command in keytool: . keytool -storepasswd -v -all -new "xxxxxxxxxxxx" -keystore /u/ekm/EKMKeystore -storepass "yyyyyyyyyyyy" -storetype jceks . EKM will not start up, receiving the following error:
Local fix
Have changed back to old password temporarily
Problem summary
Password in KeyGroups.xml file also needs to be changed
Problem conclusion
This defect will be fixed in: 5.0.0 SR11-fp2 6.0.0 Sr8 1.4.2 Sr13 . The EKM IPUG also needs modification. In Chapter 3: "Installing the Encryption Key Manager and Keystores", under Main heading: "Generating Keys and Aliases for Encryption on LTO 4", under Sub Heading: "Changing Keystore Passwords", information in green as shown below needs to be added (information in blue below is already present in the EKM IPUG). Changing Keystore Passwords Note: Once you have set the keystore password, do not change it unless it?s security has been breached. The passwords are obfuscated to eliminate any security exposure. Changing the keystore password requires that the password on every key in that keystore be changed individually using the following keytool command. To change the keystore password enter: keytool -keypasswd -keypass old_passwd -new new_passwd -alias alias -keystore keystorename -storetype keystoretype You must also edit KeyManagerConfig.properties to change the keystore password in every server configuration file property where it is specified using one of these methods: Delete the entire obfuscated password and allow the Encryption Key Manager to prompt on the next startup. Delete the entire obfuscated password and type the new password in the clear. It will be obfuscated on the next startup. If createkeygroup command had been run earlier to add keygroup entries in KeyGroups.xml file, you must also run the following command to update the EncryptionKey attribute in KeyGroups.xml file. java com.ibm.keymanager.tools.EKMKeyGroupKeyModifier <Server Configuration Properties Filename > <KeyGroup password> Server Configuration Properties Filename is the Server's Configuration Properties filename having updated keystore password. KeyGroup password is the password that was specified while running createkeygroup command. eg: java com.ibm.keymanager.tools.EKMKeyGroupKeyModifier KeyManagerConfig.properties passphrase . To obtain the fix: Install build 20100205 or later
Temporary fix
Comments
APAR Information
APAR number
IZ68999
Reported component name
SECURITY
Reported component ID
620700125
Reported release
600
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-02-02
Closed date
2010-04-22
Last modified date
2010-04-22
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
R600 PSN
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020