IBM Support

PH59794: TLS HANDSHAKE ISSUE WITH SAF DB RSA SOFTWARE KEY WITH IBMJCEHYBRID AND IBMJCECCA

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: A TLS handshake error can happen when using
    IBMJCEHYBRID as the first security provider and using a
    JCECCARACFKS keystore with the cert RSA private key stored in
    the SAF database versus ICSF PKDS.
    .
    Stack Trace: IBMJCEHybridException: Object state does not permit
    failover.
    Exception#0 java.security.InvalidKeyException: Key is not
    RSASSA-PSS compatible
    Stack Trace:
    at
    com.ibm.crypto.hdwrCCA.provider.RSAPSSSignature.engineInitSign(R
    SAPSSSignature.java:99)
    at
    java.security.Signature$Delegate.engineInitSign(Signature.java:1
    337)
    at java.security.Signature.initSign(Signature.java:627)
    at
    com.ibm.crypto.ibmjcehybrid.provider.HybridSignature.initSign(Hy
    bridSignature.java:1012)
    at
    com.ibm.crypto.ibmjcehybrid.provider.HybridSignature.engineInitS
    ign(HybridSignature.java:952)
    at
    java.security.SignatureSpi.engineInitSign(SignatureSpi.java:141)
    .
    

Local fix

  • Using the RSA software keys in the ICSF PKDS or RACF and loading
    them using JCEHYBRIDRACFKS or JCECCARACFKS can resolve the
    issue.
    

Problem summary

  • A TLS handshake error can happen when using IBMJCEHYBRID as the
    first security provider and using a JCECCARACFKS keystore with
    the cert RSA private key stored in the SAF database versus ICSF
    PKDS.
    

Problem conclusion

  • The RSA Software keys are translated properly to be processed by
    IBMJCEHYBRID to proceed with the TLS handshake.
    .
    This APAR will be fixed in the following Releases:
    .
    IBM Semeru Runtimes
       11              11.0.23.0
       17              17.0.11.0
    IBM SDK, Java Technology Edition
       8    SR8 FP25   8.0.8.25
    .
    Downloads and supplementary documentation can be found at the
    following locations:
    - For the z/OS operating system:
      - Java SDK Products on z/OS
        https://www.ibm.com/support/pages/java-sdk-products-zos
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH59794

  • Reported component name

    JAVA Z/OS 64

  • Reported component ID

    620700104

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2024-02-14

  • Closed date

    2024-02-15

  • Last modified date

    2024-04-20

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    JAVA Z/OS 64

  • Fixed component ID

    620700104

Applicable component levels

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"800","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
21 April 2024