PK90103: NULLPOINTEREXCEPTION WHEN USING KEYTOOL WHEN NOT USING UNRESTRICTED POLICY FILES
Closed as program error.
External Symptoms When using the KeyTool command, the command fails right after the password is entered. It fails with a NullPointerException at com.ibm.crypto.tools.KeyTool.a(Unknown Source) at com.ibm.crypto.tools.KeyTool.a(Unknown Source) at com.ibm.crypto.tools.KeyTool.run(Unknown Source) at com.ibm.crypto.tools.KeyTool.main(Unknown Source) Additional Keywords KeyTool NPE Verification Steps Run with the below traces enabled: -J-Djava.security.auth.debug=all -J-Djavax.net.debug=true Within the trace output you will find: Cipher: (Thread[main,5,main]) Crypto Permission check failed Cipher: (Thread[main,5,main]) granted: (CryptoPermission * 128) Cipher: (Thread[main,5,main]) requesting: (CryptoPermission PBE 168) com.ibm.misc.Debug exception FINER: com.ibm.security.pkcs12.BasicPFX getBags java.security.InvalidKeyException: Illegal key size
To fix this problem, there are 2 files found in your <JAVA_HOME>/demo/jce/policy-files/unrestricted directory that need to be copied into <JAVA_HOME>/lib/security The two files that need to be copied are US_export_policy.jar and local_policy.jar Be sure that the file permissions in the newly copied files are the same as the file permissions on the original files in <JAVA_HOME>/lib/security Contact Level 2 for interim fix.
issue 1- PKCS12 Key Stores across 1.4.2, 5.0, and 6.0 need to support certificates which are signed with MD5withRSA. issue 2- KeyTool has a NPE when creating a JKS keystore by an import from a P12 flat file with restricted policy files.
This defect will be fixed in: 5.0.0 SR11 6.0.0 SR6 1.4.2 SR13 FP2 . issue 1- The fix is to allow for additional types of signatures to be recognized in the 3 P12 keystore types. issue 2- The fix is to check whether the parsed certificates from the file creates a null array of certificates. . To obtain the fix: Install build 20090732 or later
Reported component name
JAVA 5 Z/OS 31
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
JAVA 5 Z/OS 31
Fixed component ID
Applicable component levels