IBM Support

PH07530: KEYS ARE NOT STORED IN ICSF WITH TRIPLE-LENGTH PCICC FORMAT

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • tests show that they cannot allocate specific keys. One can
make
it work as soon as the keys are not stored in ICSF with
triple-
length PCICC.
So we need the capability to allow customers to select the
keystore/keystore-type which would allow type JCECCARACFKS
keystores.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server Liberty on z/OS using hardware       *
*                  generated SSH keys in a collective.         *
****************************************************************
* PROBLEM DESCRIPTION: The collective controller create        *
*                      command fails when a keyring associated *
*                      to hardware generated SSH key are       *
*                      used.                                   *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
On z/OS, an existing keyring can be specified to be used by the
collective as the collective wide SSH key pair.
This is done by using the --safkeyring option in the collective
create command. However, when the --safkeyring
option is set to a keyring associated with a keypair generated
using a CCA cryptographic coprocessor where
the resulting private key is stored in the ICSF PKA key data set
(PKDS), the keys are not able to properly be
read and the command fails.

For example a command such as this:

collective create controller --
safKeyring=safkeyringhw:///HWKEYS.KEYRING ...

fails with the following error: ?Unable to read (or write) the
SSH keys.?

    



Problem conclusion


    

  • Code was added to allow the collective commands to properly
process hardware generated keys.

The fix for this APAR is currently targeted for inclusion in fix
pack 19.0.0.6.  Please refer to the Recommended Updates page for
delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH07530
    • 

  • Reported component name
    LIBERTY PROF -
    • 

  • Reported component ID
    5655W6514
    • 

  • Reported release
    CD0
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2019-01-21
    • 

  • Closed date
    2019-06-03
    • 

  • Last modified date
    2019-06-03
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    LIBERTY PROF -
    • 

  • Fixed component ID
    5655W6514
    • 



Applicable component levels


    

  • RCD0  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"CD0","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            17 June 2020
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback