PK90103: NULLPOINTEREXCEPTION WHEN USING KEYTOOL WHEN NOT USING UNRESTRICTED POLICY FILES

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • External Symptoms
    When using the KeyTool command, the command fails right after
    the password is entered. It fails with a NullPointerException
    at com.ibm.crypto.tools.KeyTool.a(Unknown Source)
    at com.ibm.crypto.tools.KeyTool.a(Unknown Source)
    at com.ibm.crypto.tools.KeyTool.run(Unknown Source)
    at com.ibm.crypto.tools.KeyTool.main(Unknown Source)
    
    Additional Keywords
    KeyTool NPE
    
    Verification Steps
    Run with the below traces enabled:
    -J-Djava.security.auth.debug=all
    -J-Djavax.net.debug=true
    Within the trace output you will find:
    Cipher: (Thread[main,5,main]) Crypto Permission check failed
    Cipher: (Thread[main,5,main]) granted: (CryptoPermission * 128)
    Cipher: (Thread[main,5,main]) requesting: (CryptoPermission PBE
    168)
    com.ibm.misc.Debug exception
    FINER: com.ibm.security.pkcs12.BasicPFX getBags
    java.security.InvalidKeyException: Illegal key size
    

Local fix

  • To fix this problem, there are 2 files found in your
    <JAVA_HOME>/demo/jce/policy-files/unrestricted
    directory that need to be copied into
    <JAVA_HOME>/lib/security
    The two files that need to be copied are US_export_policy.jar
    and
    local_policy.jar
    Be sure that the file permissions in the newly copied files are
    the same as the file permissions on the original files in
    <JAVA_HOME>/lib/security
    
    Contact Level 2 for interim fix.
    

Problem summary

  • issue 1- PKCS12 Key Stores across 1.4.2, 5.0, and 6.0 need to
    support certificates which are signed with MD5withRSA.
    issue 2- KeyTool has a NPE when creating a JKS keystore by an
    import from a P12 flat file with restricted policy files.
    

Problem conclusion

  • This defect will be fixed in:
    5.0.0 SR11
    6.0.0 SR6
    1.4.2 SR13 FP2
    .
    issue 1- The fix is to allow for additional types of signatures
    to be recognized in the 3 P12 keystore types.
    issue 2- The fix is to check whether the parsed certificates
    from the file creates a null array of certificates.
    .
    To obtain the fix:
    Install build 20090732 or later
    

Temporary fix

Comments

APAR Information

  • APAR number

    PK90103

  • Reported component name

    JAVA 5 Z/OS 31

  • Reported component ID

    620500105

  • Reported release

    500

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2009-06-29

  • Closed date

    2009-08-17

  • Last modified date

    2009-08-17

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IZ58170 PK94003

Fix information

  • Fixed component name

    JAVA 5 Z/OS 31

  • Fixed component ID

    620500105

Applicable component levels

  • R500 PSN

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

z/OS family

Software version:

5.0

Reference #:

PK90103

Modified date:

2009-08-17

Translate my page

Machine Translation

Content navigation