IBM Support

SE77768 - OSP-CERT QYKMIMPORTKEYSTORE IMPORTS JAVA MANAGED CERTS AS CA

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR (Authorized Program Analysis Report)

Abstract

OSP-CERT QYKMIMPORTKEYSTORE IMPORTS JAVA MANAGED CERTS AS CA

Error Description

An issue was identified when using API QykmExportKeyStore to    
create a PKCS12 file from a .KDB file, modifying the contents of
that file using Java, and then importing the keys and          
certificates back to a .KDB using API QykmImportKeyStore.  The  
issue that is seen is the certificates that had private keys end
up incorrectly imported as CA certificates without private keys.

Problem Summary

An issue was identified when using API QykmExportKeyStore to    
create a PKCS12 file from a .KDB file, modifying the contents of
that file using Java, and then importing the keys and          
certificates back to a .KDB using API QykmImportKeyStore.  The  
issue that is seen is the certificates that had private keys end
up incorrectly imported as CA certificates without private keys.

Problem Conclusion

The QykmImportKeyStore was written to import PKCS12 files that  
were generated with the QykmExportKeyStore API.  When Java      
stores the contents to a PKCS12 file, the certificates and keys
are stored in an order that was unexpected for the import code.
 The import code has therefore been redesigned to improve the  
association between keys and certificates during import.        

Temporary Fix

Comments

Circumvention


PTFs Available

R720 SI79677  1000

R730 SI79678  2335

R740 SI79679  2328

R750 SI79680  2321

Affected Modules


         
         

Affected Publications

Summary Information

Status............................  CLOSED PER
HIPER.............................  No
Component.........................  5770SS1DC
Failing Module....................  RCHMGR
Reported Release..................  R720
Duplicate Of......................  




IBM i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.2.0; 7.3.0; 7.4.0; 7.5.0","Product":{"code":"SWG60","label":"IBM i"},"Component":"5770SS1","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
02 December 2022