APAR status
Closed as program error.
Error description
Envt: ----- IBM JVM 160 SR7 Problem Description: -------------------- Support Verisign certificates in which keyIdentifier is MISSING in AuthorityKkeyIdentifier field Error/Eexception: ----------------- PKIX path building failed: java.security.cert.CertPathBuilderException: invalid certificate, key identifier is missing from authority key identifier extension JDK Affected : -------------- 1.6.0 Jar Affected: ------------- ibmcertpathprovider.jar History of the issue: --------------------- The certpath build is failing because KeyIdentifier field is not found in the AuthortyKeyIdentifier field in Verisign intermediate certificate. The KeyIdentifier is a required field as per RFC 3280, section 4.2.1.1 Authority Key Identifier.as per RFC 3280, the key identifier field must be present in Authority Key Identifier field, except in a root self-signed certificate. Due to the fact that many our customers have received certificates without the KeyIdentifier, and we have done the corresponding change for JDK 1.4.2 and 1.5.0 , we need the same change in 1.6.0 Fixed in : IBM JVM 142 SR7 Hursley Defect Number: 110645 Official jar name : ibmcertpathprovider.jar Official jar build-level : Build-Level: -20061006 This issue was fixed as defect 95520 for both 1.4.2 and 1.5.0 in 12/01/2006 Additional Note: ---------------- This is NOT a CERTPATH code defect. CERTPATH is working as designed. This is a VERISIGN certificate defect. However, CERTPATH will be modified to accommodate the certificate defect in order to help customers using this faulty certificate.
Local fix
Level 3 to update
Problem summary
For certain intermediate CA certificates, Verisign does not include a key identifier within the Authority Key Identifier certificate extension. The key identifier is required by RFC 5280. Some time ago, a change was made to the IBM CertPath component for the Java 1.4.2 and 5.0 releases to disable the check which throws an exception if the key identifier is not present. This APAR is being used to deliver the same fix for Java 6.0.
Problem conclusion
The associated Hursley CMVC defect is 167487. The associated Austin CMVC defect is 111041. The fix is being dropped for Java 6.0 SR9. The affected jar is "ibmcertpathprovider.jar". The build level of this jar for Java 6.0 is 20100621.
Temporary fix
Comments
APAR Information
APAR number
IZ77615
Reported component name
TIV JAVA CERT P
Reported component ID
TIVSECJCP
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-06-17
Closed date
2010-06-22
Last modified date
2011-04-06
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TIV JAVA CERT P
Fixed component ID
TIVSECJCP
Applicable component levels
R100 PSY
UP
[{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSWKFH","label":"Tivoli Components - Java Security"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"100","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
06 April 2011