IBM Support

PH18751: EXCEPTIONS WHEN USING KEYSTORE ID="DEFAULTKEYSTORE" AFTER UPGRADING TO FIX PACK 19.0.0.9 ON Z/OS.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • After upgrading to WebSphere Liberty fix pack 19.0.0.9 on
    z/OS,
    errors with the SAF keyring can be encountered if the
    keystore
    id is "defaultKeyStore".
    
    Some errors that could be indicative
    of this problem are:
    
    java.io.IOException: Error in Ring_name
    length or RACF_userid length
    
    CWPKI0033E: The keystore located
    at safkeyring:/ExampleKeyring did not load because of the
    following error: Errors encountered loading keyring. Keyring
    could not be loaded as a JCECCARACFKS or JCERACFKS keystore.
    
    
    CWPKI0024E: The certificate alias MySampleAlias specified by
    the property com.ibm.ssl.keyStoreServerAlias is not found in
    KeyStore safkeyringhw:/LIBERTY.MYKEYRING.
    
    An additional symptom is:
    CWWKO0801E: Unable to initialize SSL connection. Unauthorized
    access was denied or security settings have expired.
    
    This may occur when uprgrading to z/OS Connect V3.0.26 or
    z/OS Connect V3.0.27 as it ships WebSphere Liberty 19.0.0.9.
    
    This applies to
    z/OS only!
    

Local fix

  • Rename the keyStore id in the server.xml to something other
    than defaultKeyStore, e.g.
     
    <ssl id="defaultSSLConfig"
    keyStoreRef="myKeyStore" />&#160;
    <keyStore id="myKeyStore"
    location="safkeyring:///WASTEST" type="JCERACFKS"
    password="password" fileBased="false" readOnly="true" />
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM Websphere Application      *
    *                  Server Liberty for z/OS running 19.0.0.9    *
    *                  and 19.0.0.10.                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: After installing 19.0.0.9 or 19.0.0.10  *
    *                      AppServer customers using SAFKeyrings   *
    *                      may fail to start with CWPKI0033E or    *
    *                      CWPKI0024E messages.                    *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    19.0.0.9 introduced a change that breaks SAFKeyring access when
    the server configuration contains a <keyStore> element with an
    id equal to "defaultKeyStore". ie:
    <keyStore id="defaultKeyStore" location="safkeyring:///WASTEST"
    type="JCERACFKS"  password="password" fileBased="false"
    readOnly="true" />
    
    The id=defaultKeyStore results in special handling and that
    handling is now broken.
    

Problem conclusion

  • Code has been changed to correct processing of <keyStore>
    configuration elements with a specific id of "defaultKeyStore".
    
    The fix for this APAR is currently targeted for inclusion in fix
    pack 19.0.0.11.  Please refer to the Recommended Updates page
    for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

  • Rename the keyStore id in the server.xml to something other
    than defaultKeyStore, e.g.
    &#160;
    <ssl id="defaultSSLConfig" keyStoreRef="myKeyStore" />&#160;
    <keyStore id="myKeyStore" location="safkeyring:///WASTEST"
    type="JCERACFKS" password="password" fileBased="false"
    readOnly="true" />
    

Comments

APAR Information

  • APAR number

    PH18751

  • Reported component name

    LIBERTY PROF -

  • Reported component ID

    5655W6514

  • Reported release

    CD0

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-11-01

  • Closed date

    2019-11-08

  • Last modified date

    2020-02-26

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    LIBERTY PROF -

  • Fixed component ID

    5655W6514

Applicable component levels

  • RCD0 PSY

       UP

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"CD0","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
14 December 2020