APAR status
Closed as program error.
Error description
Error Message: The following errors are thrown when attempting to use an ECDSA key with IBMJCEHybrid as the first provider in the java.security file: <OSB>ERROR<CSB> CWPKI0033E: The keystore located at safkeyringhybrid://IZUSVR/IZURING did not load because of the following error: Errors encountered loading keyring. Keyring could not be loaded as a JCECCARACFKS or JCERACFKS keystore. java.io.IOException: Errors encountered loading keyring. Keyring could not be loaded as a JCECCARACFKS or JCERACFKS keystore. Exception#0 java.security.InvalidParameterException: Key is not an instance of the com.ibm.crypto.hdwrCCA.provider.RSAPrivateHWKey class. Exception#1 java.security.InvalidParameterException: Key is not an instance of the RSAPrivateKey class. . Stack Trace: .
Local fix
N/A
Problem summary
The error only happens with an ECDSA cert when IBMJCEHybrid is at the top of the java.security provider list. Hybrid only checks for RSA and not ECDSA, so it was routing to use IBMJCECCA with RSA, due to the fact that there is no support for ECDSA keys in Hybrid.
Problem conclusion
ECDSA key support is being added as a service to fix the error happening when IBMJCEHybrid is at the top of the java.security provider list. Support will be added for all Java versions (8, 11, 17). . This APAR will be fixed in the following Releases: . IBM Semeru Runtimes 11 11.0.21.0 17 17.0.9.0 IBM SDK, Java Technology Edition 8 SR8 FP15 (8.0.8.15) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available maintenance can be found at: https://www.ibm.com/support/pages/java-sdk
Temporary fix
The temporary fix suggested is to put the IBMJCECCA provider higher than IBMJCEHybrid in the java.security file (or IBMJCE for Java 8).
Comments
APAR Information
APAR number
PH55605
Reported component name
JAVA Z/OS 64
Reported component ID
620700104
Reported release
B00
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-07-07
Closed date
2023-10-31
Last modified date
2023-10-31
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
JAVA Z/OS 64
Fixed component ID
620700104
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"B00","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
01 November 2023