APAR status
Closed as program error.
Error description
Error Message: N/A . Stack Trace: N/A . The customer attempted to list the contents of a fresh PKCS11IMPLKS keystore instance and found no PrivateKeyEntry's listed for the private keys which were present on the crypto hardware. It is important to note that the customer was using third party tools to create these private keys on the crypto hardware instead of either the IBMPKCS11Impl provider api, or the keytool utility.
Local fix
Problem summary
When a PrivateKeyEntry is added to a PKCS11IMPLKS keystore using either the "IBMPKCS11Impl provider api" or "keytool", the PKCS11IMPLKS keystore adds a label/alias to the private key added. This enables the PKCS11IMPLKS keystore to later create/load a fresh keystore instance by searching the crypto hardware for private keys which contain a label, and to create a PrivateKeyEntry for each. In other words, the PKCS11IMPLKS keystore did not attempt to create a PrivateKeyEntry for private keys that "did not" contain a label/alias. The problem described by this APAR was discovered by a customer who was using third party tools to create private key objects and certificate objects on the crypto hardware. The private key objects created did not contain a label/alias. When the PKCS11IMPLKS keystore created/loaded a fresh keystore instance from these objects, the private keys without labels/aliases were ignored. Therefore, when the customer attempted to list the contents of that fresh keystore instance, no PrivateKeyEntry's were listed for the private keys.
Problem conclusion
The Java class which manages the PKCS11IMPLKS keystore has been modified to recognize and process all hardware private keys when it creates/loads a fresh keystore instance, regardless whether the hardware private key contains a label/alias. . This APAR will be fixed in the following Java Releases: 6 SR16 FP20 (6.0.16.20) 6 R1 SR8 FP20 (6.1.8.20) 8 SR2 FP10 (8.0.2.10) 7 SR9 FP30 (7.0.9.30) 7 R1 SR3 FP30 (7.1.3.30) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IV79144
Reported component name
SECURITY
Reported component ID
620700125
Reported release
600
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-11-20
Closed date
2015-11-30
Last modified date
2015-12-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
R600 PSY
UP
R260 PSY
UP
R270 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020