IBM Support

PH55605: ECDSA SIGNATURE SUPPORT FOR IBMJCEHYBRID

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: The following errors are thrown when attempting
    to use an ECDSA key with IBMJCEHybrid as the first provider in
    the java.security file:
    <OSB>ERROR<CSB> CWPKI0033E: The keystore located at
    safkeyringhybrid://IZUSVR/IZURING did not load because of the
    following error: Errors encountered loading keyring. Keyring
    could not be loaded as a JCECCARACFKS or JCERACFKS keystore.
    java.io.IOException: Errors encountered loading keyring. Keyring
    could not be loaded as a JCECCARACFKS or JCERACFKS keystore.
    Exception#0 java.security.InvalidParameterException: Key is not
    an instance of the
    com.ibm.crypto.hdwrCCA.provider.RSAPrivateHWKey class.
    Exception#1 java.security.InvalidParameterException: Key is not
    an instance of the RSAPrivateKey class.
    .
    Stack Trace:
    .
    

Local fix

  • N/A
    

Problem summary

  • The error only happens with an ECDSA cert when IBMJCEHybrid is
    at the top of the java.security provider list. Hybrid only
    checks for RSA and not ECDSA, so it was routing to use IBMJCECCA
    with RSA, due to the fact that there is no support for ECDSA
    keys in Hybrid.
    

Problem conclusion

  • ECDSA key support is being added as a service to fix the error
    happening when IBMJCEHybrid is at the top of the java.security
    provider list. Support will be added for all Java versions (8,
    11, 17).
    .
    This APAR will be fixed in the following Releases:
    .
    IBM Semeru Runtimes
       11              11.0.21.0
       17              17.0.9.0
    IBM SDK, Java Technology Edition
       8    SR8 FP15  (8.0.8.15)
    .
    Contact your IBM Product's Service Team for these Service
    Refreshes and Fix Packs.
    For those running stand-alone, information about the available
    maintenance can be found at:
               https://www.ibm.com/support/pages/java-sdk
    

Temporary fix

  • The temporary fix suggested is to put the IBMJCECCA provider
    higher than IBMJCEHybrid in the java.security file (or IBMJCE
    for Java 8).
    

Comments

APAR Information

  • APAR number

    PH55605

  • Reported component name

    JAVA Z/OS 64

  • Reported component ID

    620700104

  • Reported release

    B00

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2023-07-07

  • Closed date

    2023-10-31

  • Last modified date

    2023-10-31

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    JAVA Z/OS 64

  • Fixed component ID

    620700104

Applicable component levels

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"B00","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
01 November 2023