IBM Support

PK45677: "INVALID LIBRARY NAME" ERROR WHEN USING PKCS11 CLIENT KEYSTORE

Fixes are available

Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR10 Cumulative Fix for WebSphere Application Server
6.1.0.31: Java SDK 1.5 SR11 FP1 Cumulative Fix for WebSphere Application Server
6.1.0.33: Java SDK 1.5 SR12 FP1 Cumulative Fix for WebSphere
6.1.0.29: Java SDK 1.5 SR11 Cumulative Fix for WebSphere Application Server
6.1.0.35: Java SDK 1.5 SR12 FP2 Cumulative Fix for WebSphere
6.1.0.37: Java SDK 1.5 SR12 FP3 Cumulative Fix for WebSphere
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • An error occurs when trying to use PKCS11 type keystore with
a java client. The error message is "invalid library name"

The ssl.client.props is set to point to a configuration file
that points to the correct
library name for crypto device. Neither specifying the library
name in the  config file nor specifying the
library name directly works.

The java client's code is looking for a
keytype with the provider name.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: IBM WebSphere Application Server version     *
*                 6.1 users of PKCS11 type keystore            *
****************************************************************
* PROBLEM DESCRIPTION: An error occurs when trying to use      *
*                      PKCS11 type keystore with  a java       *
*                      client.                                 *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The error message is "invalid library name" The
ssl.client.props is set to point to a configuration file that
points  to the correct library name for the crypto device.
Neither specifying  the library name in the config file nor
specifying the library name directly works. The java client's
code is looking for a keytype with the provider name.

The keystore type constant for PKCS11 was not specifed
correctly, it was referencing the provider IBMPKCS11Impl
instead. Also, the LTPA code is using the provider list to
determine the JCE provider which causes a problem when SSL
acceleration is attempted as the IBMPKCS11Impl provider needs
to be placed in front of IBMJCE software provider in the
java.security file. A switch was added which can be specified
in the top level custom properties or system property as
com.ibm.ws.security.ltpa.forceSoftwareJCEProviderForLTPA=true.

    



Problem conclusion


    

  • Correct the way the keystore type of PKCS11 causes ue to use
the hardware crypto keystore classes. Also, when the LTPA
property above is specified, force the IBMJCE provider so that
SSL and other crypto can use hardware acceleration. LTPA
cannot use hardware acceleration because the software keys for
LTPA do not implement java.security.interfaces.RSAPrivateCrtKey
which is required by many accelerator cards.

The fix for this APAR is currently targeted for inclusion
in fixpack 6.1.0.11.
Please refer to the recommended updates page for delivery
information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PK45677
    • 

  • Reported component name
    WEBS APP SERV N
    • 

  • Reported component ID
    5724H8800
    • 

  • Reported release
    61A
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2007-05-22
    • 

  • Closed date
    2007-08-23
    • 

  • Last modified date
    2007-08-23
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Modules/Macros


    

  • SECURITY

    



Fix information


    

  • Fixed component name
    WEBS APP SERV N
    • 

  • Fixed component ID
    5724H8800
    • 



Applicable component levels


    

  • R61A  PSY
       UP
    • 

  • R61H  PSY
       UP
    • 

  • R61I  PSY
       UP
    • 

  • R61P  PSY
       UP
    • 

  • R61S  PSY
       UP
    • 

  • R61W  PSY
       UP
    • 

  • R61Z  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            28 December 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback