IBM Support

IZ75980: INTEROP ISSUE BETWEEN SUN AND IBM JGSS WHEN USING OLD ENCRYPTION TYPES

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Description:
    In IBM's implementation, the delegated credential from Initiator
    is always encrypted as  the  KRB-CRED message, RFC4120 states
    some implementations do not separately encrypt the contents of
    the EncKrbCredPart of the KRB-CRED message when sending it,
    such as Sun's only encrypts for certain newer encryption types.
    This breaks the interop between IBM and Sun if Initiator and
    Acceptor sits on each side for those old encryption types(DES,
    TripleDES).
    
    This affects JDK 142, JDK 5.0, JDK 6.0
    The jars affected: ibmjgssprovider.jar
    
    Customer reported issue when using IBM JGSS client on 160 SR7
    and SUN JDK/JGSS as server (JBOSS).
    
    Error message noticed at SUN server end:
    ----------------------------------------
    
    GSSException: Failure unspecified at GSS-API level (Mechanism
    level: EncryptedData is encrypted using keytype DES CBC mode
    with MD5 but decryption key is of type NULL)
     at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown
    Source)
     at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown
    Source)
     at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown
    Source)
    
    
    Problem to be fixed in 6.0 sr9.
    

Local fix

  • Level 3 to update
    

Problem summary

  • In IBM's implementation, the delegated credential from Initiator
    is always encrypted as  the  KRB-CRED message, RFC4120 states
    some implementations do not separately encrypt the contents of
    the EncKrbCredPart of the KRB-CRED message when sending it,
    such as, Sun's only encrypts for certain newer encryption types.
    This breaks the interop between IBM and Sun if Initiator and
    Acceptor sits on each side for those old encryption types(DES,
    TripleDES).
    The acceptor side does check the both encrypted and
    non-encrypted for old encryption types, so the this fix won't
    affect previous version of JGSS.
    

Problem conclusion

  • JARs affected:
    ibmjgssprovider.jar
    
    JVMs affected:
    JDK 142, JDK 5.0, JDK 6.0.
    
    This defect will be fixed in:
    1.4.2 SR13 FP6
    5.0.0 SR12
    6.0.0 SR8 FP1
    .
    The build date  is 20100517. Hursley CMVC defect number is
    166081.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IZ75980

  • Reported component name

    TIV JAVA GSS-AP

  • Reported component ID

    TIVSECJGS

  • Reported release

    100

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-05-13

  • Closed date

    2010-05-18

  • Last modified date

    2010-07-08

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TIV JAVA GSS-AP

  • Fixed component ID

    TIVSECJGS

Applicable component levels

  • R100 PSY

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCZL44","label":"JGSS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"100","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
08 July 2010