Skip to main content

PK90103: NULLPOINTEREXCEPTION WHEN USING KEYTOOL WHEN NOT USING UNRESTRICTED POLICY FILES


Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • External Symptoms
When using the KeyTool command, the command fails right after
the password is entered. It fails with a NullPointerException
at com.ibm.crypto.tools.KeyTool.a(Unknown Source)
at com.ibm.crypto.tools.KeyTool.a(Unknown Source)
at com.ibm.crypto.tools.KeyTool.run(Unknown Source)
at com.ibm.crypto.tools.KeyTool.main(Unknown Source)

Additional Keywords
KeyTool NPE

Verification Steps
Run with the below traces enabled:
-J-Djava.security.auth.debug=all
-J-Djavax.net.debug=true
Within the trace output you will find:
Cipher: (Thread[main,5,main]) Crypto Permission check failed
Cipher: (Thread[main,5,main]) granted: (CryptoPermission * 128)
Cipher: (Thread[main,5,main]) requesting: (CryptoPermission PBE
168)
com.ibm.misc.Debug exception
FINER: com.ibm.security.pkcs12.BasicPFX getBags
java.security.InvalidKeyException: Illegal key size

Local fix

  • To fix this problem, there are 2 files found in your
<JAVA_HOME>/demo/jce/policy-files/unrestricted
directory that need to be copied into
<JAVA_HOME>/lib/security
The two files that need to be copied are US_export_policy.jar
and
local_policy.jar
Be sure that the file permissions in the newly copied files are
the same as the file permissions on the original files in
<JAVA_HOME>/lib/security

Contact Level 2 for interim fix.

Problem summary

  • issue 1- PKCS12 Key Stores across 1.4.2, 5.0, and 6.0 need to
support certificates which are signed with MD5withRSA.
issue 2- KeyTool has a NPE when creating a JKS keystore by an
import from a P12 flat file with restricted policy files.

Problem conclusion

  • This defect will be fixed in:
5.0.0 SR11
6.0.0 SR6
1.4.2 SR13 FP2
.
issue 1- The fix is to allow for additional types of signatures
to be recognized in the 3 P12 keystore types.
issue 2- The fix is to check whether the parsed certificates
from the file creates a null array of certificates.
.
To obtain the fix:
Install build 20090732 or later

Temporary fix

  •  
    • 
  
 
  
Comments
 
  
     
   
  •  
    • 
  
 
  
APAR Information
 
  
 
   
     
    
  • APAR number
    PK90103
    •  
    
  • Reported component name
    JAVA 5 Z/OS 31
    •  
    
  • Reported component ID
    620500105
    •  
    
  • Reported release
    500
    •  
    
  • Status
    CLOSED PER
    •  
    
  • PE
    NoPE
    •  
    
  • HIPER
    NoHIPER
    •  
    
  • Special Attention
    NoSpecatt
    •  
    
  • Submitted date
    2009-06-29
    •  
    
  • Closed date
    2009-08-17
    •  
    
  • Last modified date
    2009-08-17
    •  
   
 
  
 
  
     
   
  • APAR is sysrouted FROM one or more of the following:
     
    •  
   
  • APAR is sysrouted TO one or more of the following:
     
     IZ58170 PK94003
     
    •  
  
 
  
Fix information
 
  
     
   
  • Fixed component name
    JAVA 5 Z/OS 31
    •  
   
  • Fixed component ID
    620500105
    •  
  
 
  
Applicable component levels
 
  
     
   
  • R500 PSN
       UP
    •  
  
 
 
 

 









Rate this page:



(0 users)Average rating 





















	
	
	
	
	









	



























Copyright and trademark information



	
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide.  Other product and service names might be trademarks of IBM or other companies.  A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.































Rate this page:






(0 users)Average rating









Add comments














Document information





	
z/OS family

	




	
Software version:

	5.0

	





	
Reference #:

PK90103






Modified date:

2009-08-17








Translate my page














































 



Content navigation