APAR status
Closed as program error.
Error description
Error Message: A TLS handshake error can happen when using IBMJCEHYBRID as the first security provider and using a JCECCARACFKS keystore with the cert RSA private key stored in the SAF database versus ICSF PKDS. . Stack Trace: IBMJCEHybridException: Object state does not permit failover. Exception#0 java.security.InvalidKeyException: Key is not RSASSA-PSS compatible Stack Trace: at com.ibm.crypto.hdwrCCA.provider.RSAPSSSignature.engineInitSign(R SAPSSSignature.java:99) at java.security.Signature$Delegate.engineInitSign(Signature.java:1 337) at java.security.Signature.initSign(Signature.java:627) at com.ibm.crypto.ibmjcehybrid.provider.HybridSignature.initSign(Hy bridSignature.java:1012) at com.ibm.crypto.ibmjcehybrid.provider.HybridSignature.engineInitS ign(HybridSignature.java:952) at java.security.SignatureSpi.engineInitSign(SignatureSpi.java:141) .
Local fix
Using the RSA software keys in the ICSF PKDS or RACF and loading them using JCEHYBRIDRACFKS or JCECCARACFKS can resolve the issue.
Problem summary
A TLS handshake error can happen when using IBMJCEHYBRID as the first security provider and using a JCECCARACFKS keystore with the cert RSA private key stored in the SAF database versus ICSF PKDS.
Problem conclusion
The RSA Software keys are translated properly to be processed by IBMJCEHYBRID to proceed with the TLS handshake. . This APAR will be fixed in the following Releases: . IBM Semeru Runtimes 11 11.0.23.0 17 17.0.11.0 IBM SDK, Java Technology Edition 8 SR8 FP25 8.0.8.25 . Downloads and supplementary documentation can be found at the following locations: - For the z/OS operating system: - Java SDK Products on z/OS https://www.ibm.com/support/pages/java-sdk-products-zos
Temporary fix
Comments
APAR Information
APAR number
PH59794
Reported component name
JAVA Z/OS 64
Reported component ID
620700104
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2024-02-14
Closed date
2024-02-15
Last modified date
2024-04-20
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
JAVA Z/OS 64
Fixed component ID
620700104
Applicable component levels
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"800","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]
Document Information
Modified date:
21 April 2024