A fix is available
APAR status
Closed as program error.
Error description
DB2DDF DDFL09 DB2DRDA defect pm17561 dpm17561 143193 d143193 IBM Data Server driver for SQLJ and JDBC type 4 connections using encrypted userid/password security mechanisms fail when connecting to a DB2 9 for z/OS NFM server. The following error was encountered at the client: . 2010-06-13 03:59:58,901 ERROR - com.ibm.db2.jcc.am.SqlException: [jcc][t4][10262][11223][3.57.110] Unexpected Throwable caught: Unsupported keysize or algorithm parameters. ERRORCODE=-4228, SQLSTATE=null Caused by: java.lang.SecurityException: Unsupported keysize or algorithm parameters at javax.crypto.Cipher.init(DashoA12275) at com.ibm.db2.jcc.am.nc.a(nc.java:551) at com.ibm.db2.jcc.am.nc.a(nc.java:497) at com.ibm.db2.jcc.t4.b.E(b.java:2415) at com.ibm.db2.jcc.t4.b.G(b.java:5149) . The error was enountered because DB2 z/OS V9 NFM defaults to AES encryption and the JDBC client did not have the proper policy files in place for the "The IBM Software Development Kit for the Java 2 Technology Platform" (aka JDK) to support AES encryption. The fix this, the DB2 z/OS V9 NFM will be changed to default to use DES encryption. ************************************** Additional keywords and symptoms: Sun JDK/JRE users may receive: ERRORCODE=-4223 java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive) IBM JDK/JRE users may receive: ERRORCODE=-4221 java.security.InvalidKeyException: Illegal key size. JCCT4 JCCV30773 JCCV35295 or JCCV40273
Local fix
IBM Data Server Driver for JDBC and SQLJ clients will need to update the JCE (Java Cryptography Extension) with the "Unrestricted Policy Files" before using AES encryption. You can obtain the "Unrestricted Policy Files" at the following URL: http://www.ibm.com/developerworks/java/jdk/security/index.html
Problem summary
**************************************************************** * USERS AFFECTED: All Distributed Data Facility (DDF) users. * * Specifically those that uses the IBM Data * * Server Driver for JDBC and SQLJ version * * V9.1 FP5/V9.5 FP2 (or higher) Type4 * * connectivity specifying a security * * mechanism that encrypts the user ID and * * password when accessing a DB2 9 for z/OS * * NFM server. * **************************************************************** * PROBLEM DESCRIPTION: Remote client applications that use * * the IBM Data Server Driver for JDBC * * and SQLJ version V9.1 FP5/V9.5 FP2 * * (or higher) Type4 connectivity * * specifying a security mechanism that * * encrypts the user ID and password may * * receive the following error conditions * * when accessing a DB2 9 for z/OS NFM * * server: * * . ERRORCODE=-4223 due to * * java.securityInvalidAlgorithm- * * ParameterException: Prime size must * * be multiple of 64, and can only * * range from 512 to 1024 (inclusive) * * . ERRORCODE=-4221 due to * * java.security.InvalidKeyException: * * Illegal key size. * **************************************************************** * RECOMMENDATION: * **************************************************************** DB2 9 for z/OS APAR PK56287 introduced AES support for encryption and decryption processing of the user ID/password during remote connection processing. Requester and server support was provided. Specifically, for server support, when DB2 detects that the remote client driver is capable of supporting AES and if the client did not specifically request the use of a particular encryption algorithm (DES or AES), DB2 will automatically request the client driver to use AES (the strongest encryption strength between DES and AES) to encrypt the user ID/password during remote connection processing. However, if the remote client system is using the IBM Data Server Driver for JDBC and SQLJ version 9.1FP5/9.5FP2 (or higher) to access DB2, the client application may either receive the java.security.InvalidAlgorithmParameterException ERRORCODE=-4223 or java.security.InvalidKeyException ERRORCODE=-4221. This occurs because the client system's Java environment is not properly configured to use AES, yet the client driver is indicating to DB2 that it is capable of supporting AES.
Problem conclusion
DB2 9 for z/OS server processing has been changed to no longer favor AES as the encryption algorithm for security credentials when a remote client does not explicitly specify an encryption algorithm to use. After applying this change, AES will no longer be utilized as an implied default encryption algorithm. Therefore, to insure that the necessary AES protection of security credentials continues to be utilized, and for cases where AES is not currently being utilized but its use is desired, IBM recommends that users perform the following actions before applying this change: o Determine all remote clients that encrypt security credentials when accessing DB2 by enabling the IFCID319 audit trace record and examine these fields: . QW0319IPA - IP address (internal form) of remote client . QW0319PRT - Port (internal form) of remote client . QW0319FL - Status byte where '40'X means AES is used, and '00'X means DES is used. o For those client system(s) identified by the IFCID319 record(s), insure that the necessary client system related environmental and configurational conditions are set up to explicity require AES (if desired). For Java applications using the IBM Data Server Driver for JDBC and SQLJ type 4 connectivity: . Ensure the Java Cryptography Extension (JCE) Unlimited Jurisdiction Policy files are installed in the Java environment where the Java application program(s) run. . The JDBC DataSource property, encryptionAlgorithm, needs to be set to 2 (AES). For non-Java DB2 clients for Linux, UNIX, and Windows users: . CLP and embedded SQL clients, the AUTHENTICATION type for the remote database entry in the system database directory needs to be set to SERVER_ENCRYPT_AES. . CLI/ODBC applications, the ClientEncAlg configuration keyword in the db2cli.ini file or the equivalent environment or connection attribute, SQL_ATTR_CLIENT_ENCALG, needs to be set to 2 (or AES). Similarly, you can also set the Authentication configuration keyword with the value of "SERVER_ENCRYPT_AES" in the Data Source section of the db2cli.ini file for the given data source, or in a connection string, or in the db2dsdriver.cfg configuration file. . DB2 .NET Data Provider applications, the DB2ConnectionStringBuilder.ClientEncAlg property needs to be set to "AES".
Temporary fix
Comments
APAR Information
APAR number
PM17561
Reported component name
DB2 OS/390 & Z/
Reported component ID
5740XYR00
Reported release
910
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-06-30
Closed date
2010-08-16
Last modified date
2010-09-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK59709
Modules/Macros
DSNLTSEC
Fix information
Fixed component name
DB2 OS/390 & Z/
Fixed component ID
5740XYR00
Applicable component levels
R910 PSY UK59709
UP10/09/01 P F008
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEPEK","label":"Db2 for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
01 September 2010