APAR status
Closed as program error.
Error description
java.security.ProviderException: Failure in engineDoFinal when encrypting data. This seems to occur when encrypting larger amounts of data for Java 8 SR 6 FP 10 when using IBMJCEPlus provider. Error Message, as reported by customer: java.security.ProviderException: Failure in engineDoFinal
Local fix
Use the IBMJCE provider
Problem summary
javax.crypto.AEADBadTagException: ICC_AES_GCM_En/DecryptFinal failed. This occurs on JDK 8 and effects the IBMJCEPlus provider from the ibmjceplus.jar file. ERROR DESCRIPTION: ***Three different customers have reported this same issue*** The below exception occurs when the application starts exchanging data over SSL with IBMJCEPlus. This started occurring after upgrading to Java 8.0.6.10. This problem is not present if IBMJCE is used: [6/10/20 20:51:21:558 CEST] 00000089 SystemErr R javax.crypto.AEADBadTagException: ICC_AES_GCM_En/DecryptFinal failed [6/10/20 20:51:21:558 CEST] 00000089 SystemErr R at com.ibm.crypto.plus.provider.AESGCMCipher.engineDoFinal(AESGCMCi pher.java:114) [6/10/20 20:51:21:558 CEST] 00000089 SystemErr R at javax.crypto.Cipher.doFinal(Unknown Source) [6/10/20 20:51:21:558 CEST] 00000089 SystemErr R at com.ibm.jsse2.n.a(n.java:34) [6/10/20 20:51:21:558 CEST] 00000089 SystemErr R at com.ibm.jsse2.b.a(b.java:96) [6/10/20 20:51:21:559 CEST] 00000089 SystemErr R at com.ibm.jsse2.av.a(av.java:957) [6/10/20 20:51:21:559 CEST] 00000089 SystemErr R at com.ibm.jsse2.av.a(av.java:513) [6/10/20 20:51:21:559 CEST] 00000089 SystemErr R at com.ibm.jsse2.f.read(f.java:9) [6/10/20 20:51:21:559 CEST] 00000089 SystemErr R at com.ibm.rmi.iiop.Connection.readMoreData(Connection.java:1781) [6/10/20 20:51:21:559 CEST] 00000089 SystemErr R at com.ibm.rmi.iiop.Connection.createInputStream(Connection.java:15 69) [6/10/20 20:51:21:560 CEST] 00000089 SystemErr R at com.ibm.rmi.iiop.Connection.doReaderWorkOnce(Connection.java:343 9) [6/10/20 20:51:21:560 CEST] 00000089 SystemErr R at com.ibm.rmi.transport.ReaderThread.run(ReaderPoolImpl.java:131) [6/10/20 20:51:21:560 CEST] 00000089 SystemOut O ICC_AES_GCM_En/DecryptFinal failed [6/10/20 20:51:21:560 CEST] 00000089 SystemOut O Padded plaintext after DECRYPTION: len = 18 [6/10/20 20:51:21:560 CEST] 00000089 SystemOut O 0000: 02 50 9d ab bd 41 80 57 97 cd 6e 15 ba 0c 22 34 .P...A.W..n....4 0010: a9 a8 ..
Problem conclusion
The problem was caused because the output buffer was the same size as the input buffer. Since, the tag is added to the output buffer the output buffer needs to be larger by the tag length. GIT - 321 RTC - 144143 Build - 07/28/2020 Austin APAR - IJ25832 Binary effected - ibmjceplus.jar JVM to be delivered in - JDK 8 SR6 FP25
Temporary fix
Comments
APAR Information
APAR number
IJ25832
Reported component name
TIV JAVA CRYPTO
Reported component ID
TIVSECJCE
Reported release
600
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-06-26
Closed date
2020-08-24
Last modified date
2020-11-18
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
999
Fix information
Fixed component name
TIV JAVA CRYPTO
Fixed component ID
TIVSECJCE
Applicable component levels
[{"Line of Business":{"code":null,"label":null},"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSWKFH","label":"Tivoli Components - Java Security"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"600"}]
Document Information
Modified date:
19 November 2020