This blog post is to provide details to externalize known issue with signing algorithm used for DB2 monitoring agent certificates shipped in .jar files.
APAR IJ03816 - ITCAM FOR DB2 MONITORING AGENT - UD - SHIPS WITH CERTIFICATES IN KUD_RESOURCES.JAR
Installing application support for latest UD agent maintenance interim fix, or latest UD agent release, results in errors in TEP due to signing of certificate files in kud_resources.jar file using old MD5 signing algorithm.
This forces customers to have to manually resign .jar files with "jarsigner" utility to use a supported signing algorithm.
Version 7.1.0 Interim Fix 0005
Passport Advantage part number CNN24ML.
Tivoli Composite Application Manager Agent for DB2 7.1.1
All currently available UD agent application support are signed with MD5 algorithm.
Screenshot of error reported in TEP:
Application Blocked by Security Settings
Name: kud_resources.jar TEP resource
The Java security settings have prevented this application from running.
You may change this behavior in the Java Control Panel.
Using "jarsigner" utility from current Java will display a warning message indicating that the kud_resources.jar file will be treated as unsigned due to a disabled signing algorithm:
- Signed by "CN=International Business Machines Corporation,
OU="IBM Systems, Middleware", O=International Business
Machines Corporation, L=Durham, ST=North Carolina, C=US"
Digest algorithm: SHA1
Signature algorithm: MD5withRSA (weak), 2048-bit key
WARNING: The jar will be treated as unsigned, because it is
signed with a weak algorithm that is now disabled by the
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
For security reasons, Oracle replaced allowed algorithms for signing JARs.
Oracle JRE and JDK Cryptographic Roadmap
JAR files signed with MD5 algorithms are treated as unsigned
Disabled SHA-1 in TLS Server certificate chains anchored by
roots included by default in Oracle's JDK; local or enterprise
CAs are not affected.
Time stamping in jarsigner requests SHA-256, rather than
SHA-1 by default.
Upcoming change mid-January 2018:
JAR files signed with DSA keys less than 1024 bits will be
treated as unsigned JARs.
The certificates are NOT expired, using an older version of Java to provide jarsigner will validate the certificates that are shipped in kud_resources.jar and show the certificate expiration date of 12/9/23:
[certificate is valid from 12/9/13 7:00 PM to 12/9/23 6:59 PM]
Contact IBM Support to have .jar files re-signed.
Resigning .jar files will update the signature algorithm to use SHA1withRSA instead of MD5:
jarsigner.exe -verify -verbose -certs C:\kud_resources_resigned.jar
Digest algorithm: SHA-256
Signature algorithm: SHA256withRSA, 2048-bit key
Timestamped by "CN=Symantec Time Stamping Services Signer - G4,
O=Symantec Corporation, C=US" on Mon Jul 24 17:09:04 UTC 2017
Timestamp digest algorithm: SHA-1
Timestamp signature algorithm: SHA1withRSA, 2048-bit key
How to verify the certificate of jar files?
Java SE Downloads
DB2 Agent Java application's digital certification expired
Tivoli Enterprise Portal (TEP) client jar file certificates expire April 16, 2016
Reference DCF technotes:
Additional ITM Agent Insights series of IBM Tivoli Monitoring Agent blogs are indexed under ITM Agent Insights: Introduction.
Subscribe and follow us for all the latest information directly on your social feeds: