OA66910: NOSUCHALGORITHMEXCEPTION FOR SUNJCE SECURITY PROVIDER IS SEEN AFTER APPLYING APAR OA66324 "MIGRATING TO SE 24/08/30 PTF PECHANGE

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• After the apply of the APAR OA66324 "MIGRATING TO SEMERU RUNTIME
  17" and making the following changes, errors are still seen.
  
  Change CLASSPATH to just this:
  CLASSPATH=/usr/include/java_classes/ifaedjreg.jar
  CLASSPATH=$CLASSPATH:/usr/lpp/encryptionfacility/CSDEncryptionF
  acility-java17.jar:/usr/lpp/java/J17.0_64/lib/ext//*.jar
  
  Next code:   JAVA_OPT="$JAVA_OPT --add-exports=java.base/com.su
  n.crypto.provider.SunJCE=ALL-UNNAMED
  
  These are the errors seen:
  Class com/ibm/encryptionfacility/openpgp/facility/digsig/Digita
  lSignatureFactory(unnamedmodule 0x0000000080086A30) can not acce
  com/sun/crypto/provider/SunJCE(java.base) because module
  java.base does not export package com/sun/crypto/provider to
  module unnamed module 0x0000000080086A30
  
  The customer added this line:
  JAVA_OPT="$JAVA_OPT
  --add-exports=java.base/com.sun.crypto.provider=ALL-UNNAMED"
  
  Then got this error:
  java.security.NoSuchAlgorithmException: no such algorithm:
  SHA1withRSA for provider SunJCE
  
  
  PE INFORMATION:
  USERS AFFECTED:
  Users at release HCF7740 with APAR OA66324 installed; the
  affected PTF is listed below.
  
  HCF7740 UJ95530
  
  USER IMPACT:
  APAR OA66324 is an APAR that provided support for using
  Semeru 17 to run Encryption Facility. Changes for this APAR
  included switching the software security provider used in parts
  of the code from IBMJCE to SunJCE, which causes an error because
  some algorithms supported by IBMJCE are not supported by
  SunJCE.
  

Local fix

• BYPASS/CIRCUMVENTION:
  1. Remove the PE PTF from the system.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: Users of EF who are using Semeru 17 and      *
  *                 using an RSA key greater than 2048 bits      *
  *                 while IBMJCECCA is listed first in the       *
  *                 security provider list.                      *
  ****************************************************************
  * PROBLEM DESCRIPTION: While running with Semeru 17, using an  *
  *                      RSA key greater than 2048 bits while    *
  *                      IBMJCECCA is listed first in the        *
  *                      security provider list causes a         *
  *                      NoSuchAlgorithmException.               *
  ****************************************************************
  Problem Summary
  ---------------------------------------------------------------
  While running with Semeru 17, using an RSA key greater than 2048
  bits while IBMJCECCA is listed first in the security provider
  list causes a NoSuchAlgorithmException.
  

Problem conclusion

• ---------------------------------------------------------------
  EF does not check for the RSA key size and IBMJCECCA security
  provider and instead calls the getInstance() function by default
  to find a security provider in the list that supports the
  specified algorithm. EF has a new max for hardware key size of
  4096 bits.
  
  The following changes were made to "Using Encryption Facility
  for OpenPGP" (SA23-2230):
  
  - The following note was added in the following sections:
      - In "Chapter 4. Encryption Facility for OpenPGP Commands"
        under section "JCE_PROVIDER_LIST"
  
      - In "Chapter 4. Encryption Facility for OpenPGP Commands"
        under section "RNG_JCE_PROVIDER"
  
      - In "Chapter 4. Encryption Facility for OpenPGP Commands"
        under section "-jce-providers"
  
  Note: Starting with IBM Semeru Runtime Certified Edition for
  z/OS 11:
  
  - The IBMJCE provider is no longer supported, use OpenJCEPlus
    instead.
  
  - Configure security providers using the provider name instead
    of the fully qualified class name. Example: For hardware
    cryptographic acceleration, use IBMJCECCA instead of
    com.ibm.crypto.hdwrCCA.provider.IBMJCECCA.
  
  For more information, see the IBM Semeru Runtime Certified
  Edition for z/OS 11 security guide.
  

Temporary fix

Comments

• ×**** PE25/04/02 FIX IN ERROR. SEE APAR OA67696  FOR DESCRIPTION
  ×**** PE25/04/02 FIX IN ERROR. SEE APAR OA67696  FOR DESCRIPTION
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UJ96600

Modules/Macros

• CSDENC17 CSDENCRY
  

Fix information

• Fixed component name

  ENCRYPTION FACI

• Fixed component ID

  5752XXFIL

Applicable component levels

• R740 PSY UJ96600

     UP25/01/31 P F501 {

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.