PM19056: DC ATTRIBUTE ENCODINGS AS IA5STRING AND PRINTABLESTRING

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Error Message: While using the Java Security CertPath component
    to validate a certificate chain within which the Subject DN
    contains a "DC" attribute, the customer experiences a
    "certificate chaining error".
    .
    Stack Trace: N/A
    .
    

Local fix

Problem summary

  • Some time ago, an error was discovered within the Java Security
    PKCS component where it would incorrectly DER encode the "DC"
    attribute of a distinguished name as a PrintableString.  When
    this error was discovered, a fix was made to PKCS so that it
    would encode the "DC" attribute properly as an IA5String (refer
    to RFC 2253).  Unfortunately, one or more IBM/Tivoli customers
    had already generated certificates which contained distinguished
    names with DC attributes encoded as PrintableString's.  While
    trying to validate these older certificates with the Java
    Security CertPath component (and with the fix to PKCS above),
    these customers experienced a "certificate chaining error"
    because the updated PKCS component was trying to match a DC
    attribute encoded as an IA5String to one encoded as a
    PrintableString.
    

Problem conclusion

  • This defect will be fixed in:
    1.4.2 SR13 FP8
    5.0.0 SR12
    6.0.0 SR9
    .
    A fix has been made to the Java Security PKCS component which
    enables it to tolerate a "DC" attribute encoded as a
    PrintableString when it is comparing the attribute value pairs
    of a distinguished name.
    .
    To obtain the fix:
    Install build 20100918 or later
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM19056

  • Reported component name

    JAVA(1.3/1.4 CO

  • Reported component ID

    5648C9800

  • Reported release

    42A

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-07-23

  • Closed date

    2010-09-17

  • Last modified date

    2011-01-05

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IZ80890 IZ80904

Fix information

  • Fixed component name

    JAVA(1.3/1.4 CO

  • Fixed component ID

    5648C9800

Applicable component levels

  • R42A PSN

       UP

  • R42L PSN

       UP

  • R42W PSN

       UP

  • R420 PSN

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

z/OS family

Software version:

1.4.2

Reference #:

PM19056

Modified date:

2011-01-05

Translate my page

Machine Translation

Content navigation