IBM Support

PI69042: SECURITY CRYPTO JAR FAILED WITH NOT SIGNED BY A TRUSTED SIGNER ERROR AFTER UPGRADE

Fixes are available

9.0.0.2: WebSphere Application Server traditional V9.0 Fix Pack 2
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
9.0.0.3: WebSphere Application Server traditional V9.0 Fix Pack 3
9.0.0.4: WebSphere Application Server traditional V9.0 Fix Pack 4
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
9.0.0.5: WebSphere Application Server traditional V9.0 Fix Pack 5
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
9.0.5.6: WebSphere Application Server traditional Version 9.0.5 Fix Pack 6

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • After WebSphere Application Server fix pack upgrade one of the
    security crypto jar failed with not signed by a trusted signer
    during wsadmin client invocation. These problem occurring on
    Sun spark system due to JSSE/JCE provider list order.
    
    ./wsadmin.sh
    WASX7023E: Error creating "SOAP" connection to host "localhost";
    exception information:
    com.ibm.websphere.management.exception.ConnectorNotAvailableExce
     ption:
    [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening
    socket: java.net.SocketException: java.lang.SecurityException:
    The Jar
    (/opt/IBM/WebSphere/AppServer85/plugins/com.ibm.ws.security.cryp
    to.jar) is not signed by a trusted signer;
    targetException=java.lang.IllegalArgumentException: Error
    opening socket: java.net.SocketException:
    java.lang.SecurityException: The Jar
    (/opt/IBM/WebSphere/AppServer85/plugins/com.ibm.ws.security.cryp
    to.jar) is not signed by a trusted signer]
    WASX7213I: This scripting client is not connected to a server
    process; please refer to the log file
    /opt/IBM/WebSphere/AppServer85/profiles/Dmgr01/logs/wsadmin.trac
    eout for additional information.
    WASX8011W: AdminTask object is not available.
    WASX7029I: For help, enter: "$Help help"
    wsadmin>
    

Local fix

  • Possible workaround to modify the
    WAS_HOME/java/jre/lib/security/java.security with provider list
    
    E.g.
    
    security.provider.1=sun.security.provider.Sun
    security.provider.2=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.3=com.ibm.crypto.fips.provider.IBMJCEFIPS
    security.provider.4=com.ibm.crypto.provider.IBMJCE
    :
    :
    security.provider.x=.......
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server on Sun Operating Systems when        *
    *                  FIPS140-2 is enabled.                       *
    ****************************************************************
    * PROBLEM DESCRIPTION: The Jar                                 *
    *                      (/opt/IBM/WebSphere/AppServer85/plugins *
    *                      /com.ibm.ws.security.cryp               *
    *                      to.jar) is not signed by a trusted      *
    *                      signer is shown.                        *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    There was a bug when WebSphere Application Server sets up
    Java's provider order causing the jar verification error. The
    issue happens on Sun OS when FIPS140-2 is enabled.
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    PI69042

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-09-12

  • Closed date

    2016-09-27

  • Last modified date

    2016-10-04

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
18 October 2021