APAR status
Closed as program error.
Error description
Error Message: Pb 1. Certificate validation failed with iKeyman with error message "Validation failed: Missing intermediate or root certificate".Pb 2. Review new CA certificates : Some new Entrust CA's are not in IKeyman . Stack Trace: N/A .
Local fix
For iKeyman validation fail (Pb 1), the workaround for the user is to ignore this iKeyman warning as the gsk8capicmd validation passes.
Problem summary
Pb 1. Certificate validated through native GSK command (gskcapicmd) and open ssl command, but failed to validate through iKeyman.Pb 2. Entrust has been using new CA to issue certificates for customers and that these CA's are not in iKeyman.
Problem conclusion
Pb 1. iKeyman has a problem with the validation of the certificates when using the validation selector of the subject name. It appears that the subject name in this certificate is complex and the selection requires an exact match. The problem can be resolved in iKeyman by changing the code to use the entire certificate as the selector rather than a string representation of the subject name.Pb 2. The following new Entrust CA's were added "Entrust.net Certification Authority (2048) 29", "Entrust Root Certification Authority - EC1", "Entrust Root Certification Authority - EV", "Entrust Root Certification Authority - G2". . This APAR will be fixed in the following Java Releases: 6 SR16 FP4 (6.0.16.4) 7 SR9 (7.0.9.0) 8 SR1 (8.0.1.0) 7 R1 SR3 (7.1.3.0) 6 R1 SR8 FP4 (6.1.8.4) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IV71427
Reported component name
SECURITY
Reported component ID
620700125
Reported release
600
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-03-24
Closed date
2015-04-01
Last modified date
2015-04-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
IV71428 IV71429
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
R600 PSY
UP
R260 PSY
UP
R270 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020