A fix is available
APAR status
Closed as program error.
Error description
After upgrading to CICS TS v5.5, the Liberty JVM server starts up reporting the following exception: . EYUCMCIJ: IBMKeyManager: Exception accessing default keystore: java.io.IOException: Keystore was tampered with, or password was incorrect EYUCMCIJ: default context init failed: java.security.KeyStoreException: IBMKeyManager: Problem accessing key store java.io.IOException: Keystore was tampered with, or password was incorrect . or . Caused by: java.security.KeyStoreException: IBMKeyManager: Problem accessing key store java.io.IOException: Keystore was tampered with, or password was incorrect at com.ibm.jsse2.ah.a(ah.java:100) at com.ibm.jsse2.aj.g(aj.java:4) at com.ibm.jsse2.aj.<init>(aj.java:2) at sun.reflect.NativeConstructorAccessorImpl.newInstance0 at sun.reflect.NativeConstructorAccessorImpl.newInstance at sun.reflect.DelegatingConstructorAccessorImpl.newInstance at java.lang.reflect.Constructor.newInstance at java.security.Provider$Service.newInstance ... 9 more . This occurs when using an ESM-based keyring. It appears that Liberty is trying to load the CERT from the standard java keystore. Since the java keystore password for cacerts is not the default, the error occurs: In CICS 5.5, CICS CMCI Liberty code adds more code to call SSLContext sslContext = SSLContext.getInstance(sslProtocol, "IBMJSSE2") during validate the ciphers provided in TCPIPSSLCIPHERS(WFINBOUND.XML). The SSLContext.getInstance method results in the standard java keystore being loaded. This causes the password problem. . . . Additional Symptom(s) Search Keyword(s): KIXREVxxx
Local fix
Delete TCPIPSSLCIPHERS(WFINBOUND.XML)
Problem summary
**************************************************************** * USERS AFFECTED: All CICS Users. * **************************************************************** * PROBLEM DESCRIPTION: When validating the ciphers in the * * specified ciphers file, the standard * * Java keystore and trustStore are * * loaded which results in * * java.io.IOException. * **************************************************************** When starting up a CMCI Liberty server in a WUI region, CICS will configure ciphers from WUI server initialization parameter TCPIPSSLCIPHERS. When validating the ciphers, the standard Java keystore and trustStore are loaded which results in java.io.IOException.
Problem conclusion
CICS has been changed to validate the ciphers in the specified ciphers file using the SAF keyring.
Temporary fix
Comments
APAR Information
APAR number
PH08933
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
200
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-02-22
Closed date
2019-04-18
Last modified date
2019-05-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI62568
Modules/Macros
DFJ@H350
Fix information
Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400
Applicable component levels
R200 PSY UI62568
UP19/04/24 P F904
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.5","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.5","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
02 May 2019