IBM Support

OA67696: AFTER THE APPLY OF OA66910, CHANGES ARE NEEDED TO PREVENT ERROR: CSD1359I THE SPECIFIED PROVIDER IBMJCECCA 25/05/09 PTF PECHANGE

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • After the apply of OA66910, additional changes are needed to
prevent error: CSD1359I The specified provider IBMJCECCA is not
valid.

When using Java 8 with this APAR applied, the following changes
are needed:
1) add
security.provider.nn=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
to the java.security file. (where nn is the next number)
2) in the ibmef.config file, change this: JCE_PROVIDER_LIST
com.ibm.crypto.hdwrCCA.provider.IBMJCECCA to JCE_PROVIDER_LIST
IBMJCECCA
also change RNG_JCE_PROVIDER
com.ibm.crypto.hdwrCCA.provider.IBMJCECCA to RNG_JCE_PROVIDER
IBMJCECCA

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: Users of the EF who have applied the APAR    *
*                 OA66910 or later,                            *
*                 there was change in the behavior of the      *
*                 EF, where it expects the change of           *
*                 java.security and ibmef.config files.        *
*                 Without these changes all EF operations      *
*                 would fail with the below error              *
*                 CSD1359I The specified provider              *
*                 com.ibm.crypto.hdwrCCA.provider.IBMJCECCA    *
*                 is not valid.                                *
****************************************************************
* PROBLEM DESCRIPTION: Users of the EF who have applied the    *
*                      APAR OA66910 or later, java.security    *
*                      and ibmef.config files needs to be      *
*                      aligned as per below convention,        *
*                                                              *
*                      1. With Java 8 configured,              *
*                      security providers should use the       *
*                      fully qualified class name in           *
*                      java.security file.                     *
*                      2. With Java 17 configured,             *
*                      security providers should just use the  *
*                      provider name in java.security          *
*                                                              *
*                      JCE_PROVIDER_LIST and RNG_JCE_PROVIDER  *
*                      should be configured with provider      *
*                      names instead of fully classified names *
*                      in ibmef.config.                        *
*                                                              *
*                      Without                                 *
*                      these changes all EF operations         *
*                      would fail with below error: CSD1359I   *
*                      The specified provider                  *
*                      com.ibm.crypto.hdwrCCA.provider.IBMJCE  *
*                      is not valid.                           *
****************************************************************
* RECOMMENDATION: Users of the EF who have applied the APAR    *
*                 OA66910 or later,                            *
*                 1. With Java 8 configured,                   *
*                    security providers should use the fully   *
*                    qualified class name in java.security.    *
*                    Example: For hardware cryptographic       *
*                    acceleration, add                         *
*                   security.provider.nn=                      *
*                   com.ibm.crypto.hdwrCCA.provider.IBMJCECCA  *
*                    to the java.security file, where nn is    *
*                    the next number.                          *
*                 2. With Java 17 configured,                  *
*                    security providers should just use the    *
*                    provider name in java.security            *
*                                                              *
*                 for both Java17 and Java8 JCE_PROVIDER_LIST  *
*                 and RNG_JCE_PROVIDER should be configured    *
*                 with provider names instead of fully         *
*                  classified names in ibmef.config.           *
*                                                              *
*                 Use JCE_PROVIDER_LIST IBMJCECCA              *
*                 Use RNG_JCE_PROVIDER IBMJCECCA               *
****************************************************************
Problem Summary
---------------------------------------------------------------
Users of the EF who have applied the APAR OA66910 or later,
java.security and ibmef.config files needs to be
aligned as per below convention,

1. With Java 8 configured, security providers should use the
fully qualified class name in java.security file.
2. With Java 17 configured, security providers should just use
 the provider name in java.security

for both Java17 and Java8 JCE_PROVIDER_LIST and RNG_JCE_PROVIDER
 should be configured with provider names instead of fully
 classified names in ibmef.config.

Without
these changes all EF operations would fail with below error
 CSD1359I The specified provider
 com.ibm.crypto.hdwrCCA.provider.IBMJCE is not valid.

    



Problem conclusion


    

  • ----------------------------------------------------------------
The following changes were made to "Using Encryption Facility
for OpenPGP" (SA23-2230):

- The following note was updated in the following sections:
    - In "Chapter 4. Encryption Facility for OpenPGP Commands"
      under section "JCE_PROVIDER_LIST"

    - In "Chapter 4. Encryption Facility for OpenPGP Commands"
      under section "RNG_JCE_PROVIDER"

    - In "Chapter 4. Encryption Facility for OpenPGP Commands"
      under section "-jce-providers"

If you are using Java 8 with APAR OA66910 or later,
- Configure security providers in the java.security file using
the fully qualified class name. Example: For hardware
cryptographic acceleration, add
security.provider.nn=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
to the java.security file, where nn is the next number.
- In the ibmef.config file, set JCE_PROVIDER_LIST and
RNG_JCE_PROVIDER using the provider name,
not the fully qualified class name.
Use JCE_PROVIDER_LIST IBMJCECCA instead of JCE_PROVIDER_LIST
com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
Use RNG_JCE_PROVIDER IBMJCECCA instead of RNG_JCE_PROVIDER
com.ibm.crypto.hdwrCCA.provider.IBMJCECCA

If you are using Java 17 with APAR OA66910 or later,
- Configure java.security, JCE_PROVIDER_LIST, and
RNG_JCE_PROVIDER using provider names. Example: For hardware
cryptographic acceleration, add security.provider.nn=IBMJCECCA
to the java.security file, where nn is the next number.

- In the ibmef.config file, set JCE_PROVIDER_LIST and
RNG_JCE_PROVIDER using the provider name,not the fully
 qualified class name.
Use JCE_PROVIDER_LIST IBMJCECCA instead of JCE_PROVIDER_LIST
com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
Use RNG_JCE_PROVIDER IBMJCECCA instead of RNG_JCE_PROVIDER
com.ibm.crypto.hdwrCCA.provider.IBMJCECCA

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    OA67696
    • 

  • Reported component name
    ENCRYPTION FACI
    • 

  • Reported component ID
    5752XXFIL
    • 

  • Reported release
    740
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    YesPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2025-04-02
    • 

  • Closed date
    2025-05-09
    • 

  • Last modified date
    2025-05-21
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UJ97153
    

    • 



Modules/Macros


    

  • CSDENC17 CSDENCRY

    



Fix information


    

  • Fixed component name
    ENCRYPTION FACI
    • 

  • Fixed component ID
    5752XXFIL
    • 



Applicable component levels


    

  • R740  PSY  UJ97153
       UP25/05/10  I  1000  {
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19O"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"740"}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            22 May 2025
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback