APAR status
Closed as program error.
Error description
Error Message: javax.crypto.ShortBufferException: Output buffer too short for GCM mode encryption because it must accommodate padding characters and the Authentication Tag. 4096 bytes given, 4097 bytes needed. or javax.crypto.ShortBufferException: Output buffer too small . Stack Trace: IBMJCEHybridException: Failover exhausted, all registered providers attempted and failed. Exception#0 javax.crypto.ShortBufferException: Output buffer too short for GCM mode encryption because it must accommodate padding characters and the Authentication Tag. 4096 bytes given, 4098 bytes needed. Stack Trace: at com.ibm.crypto.hdwrCCA.provider.AESCipher.engineDoFinal(AESCiphe r.java:1343) at javax.crypto.Cipher.doFinal(Unknown Source) at com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.doFinal(Hybrid Cipher.java:2921) at com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.doFinal(Hybrid Cipher.java:3053) at com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.doFinal(Hybrid Cipher.java:3053) at com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.engineDoFinal( HybridCipher.java:2793) at javax.crypto.CipherSpi.a(Unknown Source) at javax.crypto.CipherSpi.engineDoFinal(Unknown Source) at javax.crypto.Cipher.doFinal(Unknown Source) at com.ibm.jsse2.n.a(n.java:358) at com.ibm.jsse2.e.a(e.java:30) at com.ibm.jsse2.e.a(e.java:55) at com.ibm.jsse2.t.a(t.java:42) at com.ibm.jsse2.aq.a(aq.java:488) at com.ibm.jsse2.aq.c(aq.java:185) at com.ibm.jsse2.aq.wrap(aq.java:101) at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:33) at com.ibm.ws.channel.ssl.internal.SSLWriteServiceContext.encryptMe ssage(SSLWriteServiceContext.java:640) ... at java.lang.Thread.run(Thread.java:795) Exception#1 javax.crypto.ShortBufferException: Output buffer too small Stack Trace: at com.ibm.crypto.provider.aA.a(Unknown Source) at com.ibm.crypto.provider.AESGCMCipher.engineDoFinal(Unknown Source) at javax.crypto.Cipher.doFinal(Unknown Source) at com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.doFinal(Hybrid Cipher.java:2921) at com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.doFinal(Hybrid Cipher.java:3053) at com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.doFinal(Hybrid Cipher.java:3053) at com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.doFinal(Hybrid Cipher.java:3053) at com.ibm.crypto.ibmjcehybrid.provider.HybridCipher.engineDoFinal( HybridCipher.java:2793) at javax.crypto.CipherSpi.a(Unknown Source) at javax.crypto.CipherSpi.engineDoFinal(Unknown Source) at javax.crypto.Cipher.doFinal(Unknown Source) .... (more details in messages.log file attached, reached RTC description limit) .
Local fix
Please add "GCM" to the jdk.tls.disabledAlgorithms property in the <java home>/lib/security/java.security file please. Please Note that z/OSMF override the java.security file with jvm.security.override.properties in directory /usr/lpp/zosmf/defaults/servers/zosmfServer Other products may do something similar. In this case the workaround will need to be applied to the override. Applying the workaround should result in the following or similar (depending on any additional user changes) String: (Note that the following 2 lines is a single line) jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede, EC keySize < 224, GCM This will remove the GCM Cipher Suite. The encryption, as a result of this change, will be only marginally weakened but still sufficiently strong. An alternative workround is to disable the GCM Cipher in the browser.
Problem summary
The framework (ibmjcefw) attempts to reuse the IBMJCEHybrid Cipher object after the exception without reinitializing it, which fails.
Problem conclusion
IBMJCEHybrid was modified so that when this exception was received it would reset the cipher object. For reference, the documentation https://docs.oracle.com/javase/8/docs/api/javax/crypto/Cipher.ht ml#doFinal(byte[], int, int, byte[]) does Note that this reset might be necessary. . This APAR will be fixed in the following Java Releases: 8 SR5 FP10 (8.0.5.10) 7 SR10 FP20 (7.0.10.20) 7 R1 SR4 FP20 (7.1.4.20) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
PI93233
Reported component name
JAVA Z/OS 64
Reported component ID
620700104
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-02-01
Closed date
2018-02-01
Last modified date
2018-07-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
JAVA Z/OS 64
Fixed component ID
620700104
Applicable component levels
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"800","Edition":"","Line of Business":{"code":"LOB16","label":"Mainframe HW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"800","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
09 August 2022