IBM Support

PK77490: Message and documentation improvements for Keytool in support of symmetric (secret) keys.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as fixed if next.

Error description

  • 1.
$ keytool -genseckey -alias myseckey -keyalg AES -keysize 256
Enter keystore password:

Enter key password for <myseckey>:
        (RETURN if same as keystore password):

keytool error (likely untranslated):
java.security.KeyStoreException: Cannot store non-PrivateKeys


The message should read:
JKS key store type only supports asymmetric (public/private)
keys. For secret keys try storetype JCEKS

2.
keytool -help and -ekmhelp for -exportseckey lists the
following suboptions
-exportseckey      [-v]
             [-alias <alias> | aliasrange <aliasRange>]
                                      [-keyalias <keyalias>]
             [-keystore <keystore>] [-storepass <storepass>]
             [-keypass <keypass>]
             [-storetype <storetype>] [-providerName <name>]
             [-exportfile <exportfile>]

When -exportseckey is used with those suboptions, no valid error
message is displayed, instead only the -help report is displayed
instead of the -ekmhelp output.

3.
The keytool -exportseckey command needs the -keypass subtoption

4.
The keytool -exportseckey without the -keyalias suboption and
with the -keypass suboption works.

It is not clear which -keyalias is used along with the -keypass
subtoption.

The missing -keyalias should generate an error indicating that
the -keyalieas subtoption is missing.

5.
The keytool -exportseckey command needs the -storetype suboption
if the default store type is JKS, because of #1 above.




KEYWORDS:
KEYTOOL EXPORTSECKEY HELP EKMHELP -EXPORTSECKEY -HELP -EKMHELP
KEYPASS -KEYPASS STORETYPE -STORETYPE JKS JCEKS

Local fix

  • Use:
keytool -exportseckey -alias AAAA -keyalias KKKK -storetype
     JCEKS -exportfile FFFF -keypass PPPP
Where:
AAAA is the secret key alias
KKKK is the public key alias
FFFF is the export filename
PPPP is the public key password

Problem summary

  • The 5.0 KeyTool displays the standard help message when running
an EKM-specific command.

6.0 does not have this problem.

Documentation updated.

These issues have been addressed by Tivoli APARs IZ43545 and
IZ43546

Problem conclusion

  • 



Temporary fix


    

  • Run keytool -ekmhelp

    



Comments


    

  • 



APAR Information




    

  • APAR number
    PK77490
    • 

  • Reported component name
    JAVA 5 Z/OS 31
    • 

  • Reported component ID
    620500105
    • 

  • Reported release
    500
    • 

  • Status
    CLOSED  FIN
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2008-12-15
    • 

  • Closed date
    2009-03-31
    • 

  • Last modified date
    2009-03-31
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    



Applicable component levels


    

  • R500  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.0","Edition":"","Line of Business":{"code":"LOB16","label":"Mainframe HW"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            09 August 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback