IBM Support

PI89624: CWWKS4106E: LTPA CONFIGURATION ERROR IN LIBERTY

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When using the IBM PKCS11Impl provider in java.security the
    following error occurs in WebSphere Liberty.
    
    CWWKS4106E: LTPA configuration error. Unable to create or
    read
    LTPA key
    file:
    /opt/libety17002/wlp/usr/servers/server1/resources/security/
    ltpa
    .keys
    
    FFDC starts with
    
    ------Start of DE processing------ = [10/20/17 9:27:33:950
    EDT]
    Exception = java.security.InvalidKeyException
    Source =
    com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreateTask
    probeid = 114
    Stack Dump = java.security.InvalidKeyException: Wrong
    format:
    RAW bytes
    needed
    at com.ibm.crypto.provider.aW.a(Unknown Source)
    at com.ibm.crypto.provider.aW.init(Unknown Source)
    at
    com.ibm.crypto.provider.AbstractBufferingCipher.engineInit
    (Unknown Source)
    at javax.crypto.Cipher.a(Unknown Source)
    at javax.crypto.Cipher.a(Unknown Source)
    at javax.crypto.Cipher.init(Unknown Source)
    at javax.crypto.Cipher.init(Unknown Source)
    at com.ibm.ws.crypto.ltpakeyutil.LTPACrypto.createCipher
    (LTPACrypto.java:595)
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server Liberty with PKCS11 configuration    *
    ****************************************************************
    * PROBLEM DESCRIPTION: LTPA operation fails due to PKCS11      *
    *                      configuration in java.security          *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    PKCS11 Providers are often configured in order to use a hardware
    crypto device.  When a PKCS11 provider is configured in the
    java.security file with preference higher than IBMJCE (or
    SUN/SunJCE/SunJSSE), the following error occurs in WebSphere
    Liberty:
    
    CWWKS4106E: LTPA configuration error. Unable to create or read
    LTPA key file:
    /opt/libety17002/wlp/usr/servers/server1/resources/security/ltpa
    .keys
    
    -- Sample FFDC from scenario when IBM PKCS11Impl  is used --
    
    ------Start of DE processing------
     = [10/20/17 9:27:33:950 EDT]
    Exception = java.security.InvalidKeyException
    Source =
    com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreateTask
    probeid = 114
    Stack Dump = java.security.InvalidKeyException: Wrong format:
    RAW bytes
    needed
    at com.ibm.crypto.provider.aW.a(Unknown Source)
    at com.ibm.crypto.provider.aW.init(Unknown Source)
    at
    com.ibm.crypto.provider.AbstractBufferingCipher.engineInit
    (Unknown Source)
    at javax.crypto.Cipher.a(Unknown Source)
    at javax.crypto.Cipher.a(Unknown Source)
    at javax.crypto.Cipher.init(Unknown Source)
    at javax.crypto.Cipher.init(Unknown Source)
    at com.ibm.ws.crypto.ltpakeyutil.LTPACrypto.createCipher
    (LTPACrypto.java:595)
    

Problem conclusion

  • The code fails to obtain the necessary crypto object for LTPA
    operation when the PKCS11 Provider is defined in the
    java.security file with preference higher than IBMJCE.
    This APAR will ensure  IBMJCE is used as provider for LTPA
    operation when IBMJCE provider is configured.
    
    The fix for this APAR is currently targeted for inclusion in fix
    pack 18.0.0.2.  Please refer to the Recommended Updates page for
    delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI89624

  • Reported component name

    LIBERTY PROFILE

  • Reported component ID

    5724J0814

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-10-31

  • Closed date

    2018-04-13

  • Last modified date

    2018-04-13

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    LIBERTY PROFILE

  • Fixed component ID

    5724J0814

Applicable component levels

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
17 June 2020