APAR status
Closed as program error.
Error description
After upgrading to WebSphere Liberty fix pack 19.0.0.9 on z/OS, errors with the SAF keyring can be encountered if the keystore id is "defaultKeyStore". Some errors that could be indicative of this problem are: java.io.IOException: Error in Ring_name length or RACF_userid length CWPKI0033E: The keystore located at safkeyring:/ExampleKeyring did not load because of the following error: Errors encountered loading keyring. Keyring could not be loaded as a JCECCARACFKS or JCERACFKS keystore. CWPKI0024E: The certificate alias MySampleAlias specified by the property com.ibm.ssl.keyStoreServerAlias is not found in KeyStore safkeyringhw:/LIBERTY.MYKEYRING. An additional symptom is: CWWKO0801E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. This may occur when uprgrading to z/OS Connect V3.0.26 or z/OS Connect V3.0.27 as it ships WebSphere Liberty 19.0.0.9. This applies to z/OS only!
Local fix
Rename the keyStore id in the server.xml to something other than defaultKeyStore, e.g.   <ssl id="defaultSSLConfig" keyStoreRef="myKeyStore" />  <keyStore id="myKeyStore" location="safkeyring:///WASTEST" type="JCERACFKS" password="password" fileBased="false" readOnly="true" />
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM Websphere Application * * Server Liberty for z/OS running 19.0.0.9 * * and 19.0.0.10. * **************************************************************** * PROBLEM DESCRIPTION: After installing 19.0.0.9 or 19.0.0.10 * * AppServer customers using SAFKeyrings * * may fail to start with CWPKI0033E or * * CWPKI0024E messages. * **************************************************************** * RECOMMENDATION: * **************************************************************** 19.0.0.9 introduced a change that breaks SAFKeyring access when the server configuration contains a <keyStore> element with an id equal to "defaultKeyStore". ie: <keyStore id="defaultKeyStore" location="safkeyring:///WASTEST" type="JCERACFKS" password="password" fileBased="false" readOnly="true" /> The id=defaultKeyStore results in special handling and that handling is now broken.
Problem conclusion
Code has been changed to correct processing of <keyStore> configuration elements with a specific id of "defaultKeyStore". The fix for this APAR is currently targeted for inclusion in fix pack 19.0.0.11. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Rename the keyStore id in the server.xml to something other than defaultKeyStore, e.g.   <ssl id="defaultSSLConfig" keyStoreRef="myKeyStore" />  <keyStore id="myKeyStore" location="safkeyring:///WASTEST" type="JCERACFKS" password="password" fileBased="false" readOnly="true" />
Comments
APAR Information
APAR number
PH18751
Reported component name
LIBERTY PROF -
Reported component ID
5655W6514
Reported release
CD0
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-11-01
Closed date
2019-11-08
Last modified date
2020-02-26
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
LIBERTY PROF -
Fixed component ID
5655W6514
Applicable component levels
RCD0 PSY
UP
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"CD0","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
14 December 2020