IBM Support

IC92878: (SSP) + NCIPHER NETHSM: JAVA.IO.IOEXCEPTION: THE PASSWORD COULD NOT LOAD ANY OF THE CARDS PROTECTING THIS KEY.

Direct links to fixes

3.4.1.8-SterlingSecureProxy-Windows-if0009
3.4.1.8-SterlingSecureProxy-SolarisSPARC-if0009
3.4.1.8-SterlingSecureProxy-Linux-if0009
3.4.1.8-SterlingSecureProxy-Linux_S390-if0009
3.4.1.8-SterlingSecureProxy-HP-if0009
3.4.1.8-SterlingSecureProxy-HP-IA-if0009
3.4.1.8-SterlingSecureProxy-AIX-if0009

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Problem Description

When configuring SSP to work with nCipher NetHSM devices
several issues was encountered.

When applying a newer version of Certicom libraries (as
supplied by L3), the following error started ocurring:

java.io.IOException: The password could not load any of the
cards protecting this key.
        at
com.ncipher.provider.km.KMKeyStore.engineLoad(KMKeyStore.
java:832)
        at java.security.KeyStore.load(KeyStore.java:414)
        at com.sterlingcommerce.security.keycert.KeyCertificate.
openKeyStore(KeyCertificate.java:1116)
    at com.sterlingcommerce.security.keycert.KeyCertificate.load
(KeyCertificate.java:581) at com.sterlingcommerce.csp.

Local fix

  • STRRTC - 376904
DE/RJ
Circumvention:
Update to latest SSP Build

Problem summary

  • Customer using an nCipher netHSM Hardware Security Module (HSM
device) to store their private keys. The netHSM device requires
a password to access the keystore, which may be different than
the passphrases of the private keys that are stored on it.  The
Customer loads keys into the keystore and assigns them
passphrases. When the Customer stops and starts the engine, the
passphrase for the first keycert that requires the HSM is used
to access the netHSM keystore, and generates the error
  java.io.IOException: The password could not load any of the
cards protecting this key.
The engine code that opens the HSM keystore was erroneously
using the keycert passphrase to open the HSM keystore.
Workaround is to ensure that the first keycert that is loaded
from the HSM at engine startup has the same passphrase as the
HSM keystore.

Problem conclusion

  • Corrected the engine code to properly send the HSM keystore
passphrase when opening the HSM keystore for the first time.

Temporary fix

  • Supplied new Engine jars which correctly send the HSM keystore
password.

Comments

  • 



APAR Information




    

  • APAR number
    IC92878
    • 

  • Reported component name
    STR SECURE PROX
    • 

  • Reported component ID
    5725D0300
    • 

  • Reported release
    341
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2013-06-06
    • 

  • Closed date
    2013-06-21
    • 

  • Last modified date
    2013-06-21
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    STR SECURE PROX
    • 

  • Fixed component ID
    5725D0300
    • 



Applicable component levels


    

  • R341  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS6PNW","label":"IBM Sterling Secure Proxy"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"341","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            21 June 2013
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback