APAR status
Closed as program error.
Error description
Error Message: When the IBMJCEHYBRID provider is configured, and GCM mode is used by an application, both the underlying IBMJCE and IBMJCECCA providers may fail causing an exception to be thrown. A IBMJCEHYBRID exception occurs to indicate that the GCM mode is not supported. . This error has been observed when attempting to connect to z/OSMF via a browser. ZOSMF Customers to refer to APAR PI84402 for workarounds. . Stack Trace: Exception in thread "main" IBMJCEHybridException: Failover exhausted, all registered providers attempted and failed. Exception#0 java.lang.IllegalStateException: (4) This method is not supported in GCM mode. Stack Trace: at com.ibm.crypto.hdwrCCA.provider.AESCipher.engineUpdate(AESCipher .java:401) at javax.crypto.Cipher.update(Unknown Source) at com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.update(HybridC ipher.java:2165) at com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.update(HybridC ipher.java:2328) at com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.update(HybridC ipher.java:2328) at com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.engineUpdate(H ybridCipher.java:2070) at javax.crypto.CipherSpi.a(Unknown Source) at javax.crypto.CipherSpi.engineDoFinal(Unknown Source) at javax.crypto.Cipher.doFinal(Unknown Source) at TestFail3.main(TestFail3.java:45) Exception#1 java.security.ProviderException: engineUpdate not supported for AES/GCM; only engineDoFinal is supported Stack Trace: at com.ibm.crypto.provider.AESGCMCipher.engineUpdate(Unknown Source) at javax.crypto.Cipher.update(Unknown Source) at com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.update(HybridC ipher.java:2165) at com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.update(HybridC ipher.java:2328) at com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.update(HybridC ipher.java:2328) at com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.update(HybridC ipher.java:2328) at com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.engineUpdate(H ybridCipher.java:2070) at javax.crypto.CipherSpi.a(Unknown Source) at javax.crypto.CipherSpi.engineDoFinal(Unknown Source) at javax.crypto.Cipher.doFinal(Unknown Source) at TestFail3.main(TestFail3.java:45) .
Local fix
There are two possible workarounds for this issue: The IBMJCEHYBRID provider can be removed from the SDK runtime environment and instead another provider may be configured. Other providers that may be configured include the IBMJCE, IBMJCECCA, or IBMPKCS11Impl providers. The application can be modified to not make use of GCM mode. If for example using SSL or TLS connections the GCM mode ciphers can be removed from either the client or server such that GCM mode is not used by the SSL or TLS connections.
Problem summary
The JCE framework incorrectly handles the exception types that are returned to it from the IBMJCEHYBRID provider.
Problem conclusion
The IBMJCEHYBRID provider has been updated to throw exceptions that the JCE framework expects to occur. Once the IBMJCEHYBRID provider throws this expected type of exception the JCE framework code is able to correctly handle calls to the GCM cipher method such that the unsupported doUpdate() method, of the underlying IBMJCECCA or IBMJCE provider, is not called by the JCE framework. . This APAR will be fixed in the following Java Releases: 8 SR4 FP10 (8.0.4.10) 7 R1 SR4 FP10 (7.1.4.10) 7 SR10 FP10 (7.0.10.10) . which will be available in the July 2017 month-end PTFs. . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
PI84229
Reported component name
JAVA Z/OS 64
Reported component ID
620700104
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-07-10
Closed date
2017-07-18
Last modified date
2017-11-27
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
JAVA Z/OS 64
Fixed component ID
620700104
Applicable component levels
R700 PSY
UP
R710 PSY
UP
R800 PSY
UP
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"800","Edition":"","Line of Business":{"code":"LOB16","label":"Mainframe HW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"800","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
09 August 2022