IBM Support

PH64354: IBMJCEHYBRID FAILS TO PERFORM FAILOVER FOR SECURERANDOM WHEN ICSF IS NOT AVAILABLE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: IBMJCEHybridException: Failover exhausted, all
registered providers attempted and failed.
Exception.getMessage() returns: Exception#0
java.lang.UnsupportedOperationException: Hardware error,
function engineGenerateSeed has no meaning in hardware
OR
Caused by: IBMJCEHybridException: Failover exhausted, all
registered providers attempted and failed.
Exception#0
com.ibm.crypto.hdwrCCA.provider.JCECCARuntimeException: Hardware
error from call CSNBRNG returnCode 12 reasonCode 0
.
Stack Trace: java.security.SecureRandom.generateSeed() does not
work any longer, it throws an:
IBMJCEHybridException: Failover exhausted, all registered
providers attempted and failed.
Exception.getMessage() returns: Exception#0
java.lang.UnsupportedOperationException: Hardware error,
function engineGenerateSeed has no meaning in hardware
OR
Caused by: IBMJCEHybridException: Failover exhausted, all
registered providers attempted and failed.
Exception#0
com.ibm.crypto.hdwrCCA.provider.JCECCARuntimeException: Hardware
error from call CSNBRNG returnCode 12 reasonCode 0
Stack Trace:
        at
com.ibm.crypto.hdwrCCA.provider.SecureRandom.engineNextBytes(Sec
ureRandom.java:127)
        at
java.base/java.security.SecureRandom.nextBytes(SecureRandom.java
:790)
        at
com.ibm.crypto.ibmjcehybrid.provider.HybridSecureRandom.nextByte
s(HybridSecureRandom.java:497)
        at
com.ibm.crypto.ibmjcehybrid.provider.HybridSecureRandom.nextByte
s(HybridSecureRandom.java:556)
        at
com.ibm.crypto.ibmjcehybrid.provider.HybridSecureRandom.engineNe
xtBytes(HybridSecureRandom.java:459)
        at
com.ibm.crypto.ibmjcehybrid.provider.IBMSecureRandomHybrid.engin
eNextBytes(IBMSecureRandomHybrid.java:25)
        at
java.base/java.security.SecureRandom.nextBytes(SecureRandom.java
:790)
        at java.base/java.util.UUID.randomUUID(UUID.java:153)
        at
com.ibm.ws.kernel.service.location.internal.WsLocationAdminImpl$
ServerIdHolder$1.run(WsLocationAdminImpl.java:510)
        at
com.ibm.ws.kernel.service.location.internal.WsLocationAdminImpl$
ServerIdHolder$1.run(WsLocationAdminImpl.java:489)
        at
java.base/java.security.AccessController.doPrivileged(AccessCont
roller.java:692)
        at
com.ibm.ws.kernel.service.location.internal.WsLocationAdminImpl$
ServerIdHolder.readOrWriteId(WsLocationAdminImpl.java:489)
        at
com.ibm.ws.kernel.service.location.internal.WsLocationAdminImpl$
ServerIdHolder.getServerId(WsLocationAdminImpl.java:465)
        at
com.ibm.ws.kernel.service.location.internal.WsLocationAdminImpl$
ServerIdHolder.<clinit>(WsLocationAdminImpl.java:446)
        at
com.ibm.ws.kernel.service.location.internal.WsLocationAdminImpl.
getServerId(WsLocationAdminImpl.java:575)
        at
com.ibm.ws.kernel.service.location.internal.WsLocationAdminImpl.
<init>(WsLocationAdminImpl.java:344)
        at
com.ibm.ws.kernel.service.location.internal.WsLocationAdminImpl.
createLocations(WsLocationAdminImpl.java:109)
        at
com.ibm.ws.kernel.service.location.internal.Activator.start(Acti
vator.java:69)
        at
org.eclipse.osgi.internal.framework.BundleContextImpl$2.run(Bund
leContextImpl.java:818)
        at
org.eclipse.osgi.internal.framework.BundleContextImpl$2.run(Bund
leContextImpl.java:1)
        at
java.base/java.security.AccessController.doPrivileged(AccessCont
roller.java:748)
        at
org.eclipse.osgi.internal.framework.BundleContextImpl.startActiv
ator(BundleContextImpl.java:810)
        at
org.eclipse.osgi.internal.framework.BundleContextImpl.start(Bund
leContextImpl.java:767)
        at
org.eclipse.osgi.internal.framework.EquinoxBundle.startWorker0(E
quinoxBundle.java:1032)
        at
org.eclipse.osgi.internal.framework.EquinoxBundle$EquinoxModule.
startWorker(EquinoxBundle.java:371)
        at
org.eclipse.osgi.container.Module.doStart(Module.java:605)
        at
org.eclipse.osgi.container.Module.start(Module.java:468)
        at
org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel$2
.run(ModuleContainer.java:1852)
        at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Thre
adPoolExecutor.java:1144)
        at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Thr
eadPoolExecutor.java:642)
        at java.base/java.lang.Thread.run(Thread.java:1595)
.
The issue happens only if ICSF is unavailable and IBMJCEHYBRID
is the first provider.

Local fix

  • The error can be skipped by removing the IBMJCEHYBRID from the
provider list.

Problem summary

  • If IBMJCEHYBRID is the first security provider list and the ICSF
is not available, users may see an IBMJCEHYBRID failover
exhausted exception regarding SecureRandom.

Problem conclusion

  • The IBMJCEHYBRID has been updated to handle the SecureRandom
selection process when ICSF is unavailable.
.
This APAR will be fixed in the following Releases:
.
IBM Semeru Runtimes
   21              21.0.6.0
.
Downloads and supplementary documentation can be found at the
following locations:
- For the z/OS operating system:
  - Java SDK Products on z/OS
    https://www.ibm.com/support/pages/java-sdk-products-zos

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH64354
    • 

  • Reported component name
    JAVA Z/OS 64
    • 

  • Reported component ID
    620700104
    • 

  • Reported release
    L00
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2024-11-29
    • 

  • Closed date
    2024-11-30
    • 

  • Last modified date
    2024-11-30
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    JAVA Z/OS 64
    • 

  • Fixed component ID
    620700104
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"L00","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            30 November 2024
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback