APAR status
Closed as program error.
Error description
SEE APAR PK59178 for background information. That APAR did not fully resolve the problem it attempted to solve. Certificates stored in RACF keyrings (JCERACFKS) which share a "Subject Name" with other certificates in the same ring may be incorrectly identified by the JVM and may be used interchangably. This can lead to Encryption failures. Specifically, EKM unwrap operations may fail with an 0xEE31 return code and a "null" Error Message. An audit log example is: outcome=[result=unsuccessful] event type=SECURITY_RUNTIME message= ***Error: null. ErrorCode=0xEE31 If debug log is activated, the following entry will be seen at the same time as the audit failure: Crypto.class DecryptKey4 RETURN Exception: null In SR11, a change was made to check the Serial Number of a certificate in addition to the Subject Name. This resolved a majority of the problem. However, If two different issuers provided certificates to the same Subject, and both used the same serial number, then the problem still exists. This APAR addresses the problem where two certificates in the same keystore/keyring share the same "Subject Name" and the same "Serial Number" and differ by their "Issuer Name". According to Internet RFC 4158, the "Issuer DN" and the "Serial Number" uniquely identify a certificate. After the application of the fix for this APAR, those two fields will be checked. VERIFICATION STEPS: List the keystore involved. If two certificates share the same Subject Name and the Same serial Number, then you are affected by this error. Upgrade immediately to prevent data from being encrypted using the wrong keys. Views from Java keystore displays (such as within EKM) may confuse the data from the two conflicting certificates. Two certificates may appear to share the same fingerprint information. These views should not be trusted while this bug is in effect.
Local fix
Contact Java Level 2 to obtain an interim fix for this issue until SR12 is available. Once the fix is applied, certificates will be correctly identified. keytool and EKM list operations should now agree with the certificate data from the RACDCERT command. (Aliases and labels should map to their appropriate internal certificate data.) This does not mean that tapes encrypted during the period of multiple keys (and indeterminancy) will imediately be readable. EKM may have incorrectly encrypted tapes with one key, while recording the label of another.
Problem summary
hen two certificates issued by different CA's, have the same subject name and the same serial number, the public key of the wrong certificate is retrieved, while using JCERACFKS/JCE4758RACFKS keystore.
Problem conclusion
In the certpath construction, now the Issuer Distinguished Name (in addition to Subject name and Serial number),is also taken into account which resolves the problem. There are two defects associated with this APAR : a) Defect 139695 is for JCE4758 provider code changes b) Defect 140272 is for JCE provider code changes.
Temporary fix
Comments
APAR Information
APAR number
PK70752
Reported component name
JAVA(1.X) Z/OS
Reported component ID
5648C9801
Reported release
140
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2008-08-19
Closed date
2008-09-04
Last modified date
2008-09-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
JAVA(1.X) Z/OS
Fixed component ID
5648C9801
Applicable component levels
R142 PSN
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.4.1","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
04 September 2008