IBM Support

PI76235: JSSE BAD_RECORD_MAC ERROR WHEN CONFIGURED WITH IBMJCECCA

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: JSSE connections may fail with a bad_record_mac
    error when the IBMJCECCA provider is configured for hardware
    cryptography support.
    
    Stack Trace: N/A
    
    The bad_record_mac error can be observed in failing connections
    by looking at the JSSE debug trace and seeing a bad_record_mac
    error being sent.
    
    Additional Symptoms:
    This can affect any components that make use of affected Java
    versions.
    
    z/OSMF REST jobs intereface can been affected when submitting
    jobs via text stream (not via dataset).  The error would be
    demonstrated in the z/OSMF logs as:
    
    500 server error with 'Connection reset'
    
    INFO:About to send error response to the client:  JesException:
    CATEGORY_SERVICE rc=8 reason=6 cause=java.io.IOException:
    Unable to decrypt message
    
    SEVERE:Error response could not be sent, servlet response is
    already committed.  JesException:  JesException:
    CATEGORY_UNEXPECTED rc=16 reason=1 cause=java.lang.
    NullPointerException
    
    In the z/OSMF FFDC logs:
    Exception = javax.net.ssl.SSLException
    Source = com.ibm.ws.channel.ssl.internal.SSLReadServiceContext
    probeid = 118
    Stack Dump = javax.net.ssl.SSLException: bad record MAC
    

Local fix

  • The IBMJCE provider can be configured instead of the IBMJCECCA
    provider.
    

Problem summary

  • The problem is caused when the IBMJCECCA provider performs a
    symmetric decryption operation. Incorrect use of an
    Initialization Vector ( IV) may produce incorrect decrypted
    clear text. In this case the first block of decrypted text will
    be observed as incorrect and the rest of the decrypted data will
    be correct. Since the decrypted data was incorrect JSSE fails
    with a bad record mac.
    

Problem conclusion

  • The IBMJCECCA provider's symmetric decryption operations were
    updated to use the correct IV value at all times and produce the
    correct decrypted clear text.
    .
    This APAR will be fixed in the following Java Releases:
       7 R1 SR4 FP5   (7.1.4.5)
       6    SR16 FP45 (6.0.16.45)
       7    SR10 FP5  (7.0.10.5)
       6 R1 SR8 FP45  (6.1.8.45)
    .
    Contact your IBM Product's Service Team for these Service
    Refreshes and Fix Packs.
    For those running stand-alone, information about the available
    Service Refreshes and Fix Packs can be found at:
               https://www.ibm.com/developerworks/java/jdk/
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI76235

  • Reported component name

    JAVA Z/OS 64

  • Reported component ID

    620700104

  • Reported release

    710

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-02-08

  • Closed date

    2017-02-08

  • Last modified date

    2017-03-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    JAVA Z/OS 64

  • Fixed component ID

    620700104

Applicable component levels

  • R710 PSY

       UP

  • R600 PSY

       UP

  • R700 PSY

       UP

  • R601 PSY

       UP

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"710","Edition":"","Line of Business":{"code":"LOB16","label":"Mainframe HW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"710","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
09 August 2022