IBM Support

ITM Agent Insights: APAR IJ03816 - ITCAM FOR DB2 MONITORING AGENT - UD - SHIPS WITH CERTIFICATES IN KUD_RESOURCES.JAR

Technical Blog Post


Abstract

ITM Agent Insights: APAR IJ03816 - ITCAM FOR DB2 MONITORING AGENT - UD - SHIPS WITH CERTIFICATES IN KUD_RESOURCES.JAR

Body

This blog post is to provide details to externalize known issue with signing algorithm used for DB2 monitoring agent certificates shipped in .jar files.

 

APAR IJ03816 - ITCAM FOR DB2 MONITORING AGENT - UD - SHIPS WITH CERTIFICATES IN KUD_RESOURCES.JAR
        
    
Installing application support for latest UD agent maintenance interim fix, or latest UD agent release, results in errors in TEP due to signing of certificate files in kud_resources.jar file using old MD5 signing algorithm.

This forces customers to have to manually resign .jar files with "jarsigner" utility to use a supported signing algorithm.

Version 7.1.0 Interim Fix 0005
07.10.00.05
7.1.0-TIV-ITM_DB2-IF0005
https://www-01.ibm.com/support/docview.wss?uid=swg24042674

Passport Advantage part number CNN24ML.
07.11.00.00
Tivoli Composite Application Manager Agent for DB2 7.1.1
http://www-01.ibm.com/support/docview.wss?uid=swg24044379

 

All currently available UD agent application support are signed with MD5 algorithm.


Screenshot of error reported in TEP:
***
Application Blocked
Application Blocked by Security Settings
Name: kud_resources.jar TEP resource
Location: http://testsystem.com:15200
The Java security settings have prevented this application from running.
You may change this behavior in the Java Control Panel.
***

 

Using "jarsigner" utility from current Java will display a warning message indicating that the kud_resources.jar file will be treated as unsigned due to a disabled signing algorithm:
***
- Signed by "CN=International Business Machines Corporation,
 OU="IBM Systems, Middleware", O=International Business
 Machines Corporation, L=Durham, ST=North Carolina, C=US"
Digest algorithm: SHA1
Signature algorithm: MD5withRSA (weak), 2048-bit key

WARNING: The jar will be treated as unsigned, because it is
 signed with a weak algorithm that is now disabled by the
 security property:

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
***

 

For security reasons, Oracle replaced allowed algorithms for signing JARs.

Oracle JRE and JDK Cryptographic Roadmap
https://www.java.com/en/jre-jdk-cryptoroadmap.html
***
JAR files signed with MD5 algorithms are treated as unsigned
JARs.

Disabled SHA-1 in TLS Server certificate chains anchored by
roots included by default in Oracle's JDK; local or enterprise
CAs are not affected.

Time stamping in jarsigner requests SHA-256, rather than
SHA-1 by default.

Upcoming change mid-January 2018:
JAR files signed with DSA keys less than 1024 bits will be
treated as unsigned JARs.
***

 

The certificates are NOT expired, using an older version of Java to provide jarsigner will validate the certificates that are shipped in kud_resources.jar and show the certificate expiration date of 12/9/23:

[certificate is valid from 12/9/13 7:00 PM to 12/9/23 6:59 PM]

 

Workaround:
Contact IBM Support to have .jar files re-signed.
Resigning .jar files will update the signature algorithm  to use SHA1withRSA instead of MD5:

 

jarsigner.exe -verify -verbose -certs C:\kud_resources_resigned.jar

Digest algorithm: SHA-256
Signature algorithm: SHA256withRSA, 2048-bit key
Timestamped by "CN=Symantec Time Stamping Services Signer - G4,
  O=Symantec Corporation, C=US" on Mon Jul 24 17:09:04 UTC 2017
Timestamp digest algorithm: SHA-1
Timestamp signature algorithm: SHA1withRSA, 2048-bit key
jar verified.

 

References:
How to verify the certificate of jar files?
https://developer.ibm.com/answers/questions/248576/how-to-verify-the-certificate-of-jar-files.html

 

Jarsigner utility:
https://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html

 

Java SE Downloads
http://www.oracle.com/technetwork/java/javase/downloads/index.html

 

DB2 Agent Java application's digital certification expired
http://www-01.ibm.com/support/docview.wss?uid=swg21639933

 

Tivoli Enterprise Portal (TEP) client jar file certificates expire April 16, 2016
http://www-01.ibm.com/support/docview.wss?uid=swg21972841

 

 

Submitter: drd401709
Compid: 5724B96DO
Reference DCF technotes:

Keywords:

 

Additional ITM Agent Insights series of IBM Tivoli Monitoring Agent blogs are indexed under ITM Agent Insights: Introduction.

 

Tutorials Point

Subscribe and follow us for all the latest information directly on your social feeds:

 

imageimageimage

Check out all our other posts and updates:

Academy Blogs
Academy Videos
Academy Google+
Academy Twitter

image

 

[{"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Product":{"code":"","label":""},"Component":"","Platform":[{"code":"","label":""}],"Version":"","Edition":""}]

UID

ibm11083081