IBM Support

PI76235: JSSE BAD_RECORD_MAC ERROR WHEN CONFIGURED WITH IBMJCECCA

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: JSSE connections may fail with a bad_record_mac
error when the IBMJCECCA provider is configured for hardware
cryptography support.

Stack Trace: N/A

The bad_record_mac error can be observed in failing connections
by looking at the JSSE debug trace and seeing a bad_record_mac
error being sent.

Additional Symptoms:
This can affect any components that make use of affected Java
versions.

z/OSMF REST jobs intereface can been affected when submitting
jobs via text stream (not via dataset).  The error would be
demonstrated in the z/OSMF logs as:

500 server error with 'Connection reset'

INFO:About to send error response to the client:  JesException:
CATEGORY_SERVICE rc=8 reason=6 cause=java.io.IOException:
Unable to decrypt message

SEVERE:Error response could not be sent, servlet response is
already committed.  JesException:  JesException:
CATEGORY_UNEXPECTED rc=16 reason=1 cause=java.lang.
NullPointerException

In the z/OSMF FFDC logs:
Exception = javax.net.ssl.SSLException
Source = com.ibm.ws.channel.ssl.internal.SSLReadServiceContext
probeid = 118
Stack Dump = javax.net.ssl.SSLException: bad record MAC

Local fix

  • The IBMJCE provider can be configured instead of the IBMJCECCA
provider.

Problem summary

  • The problem is caused when the IBMJCECCA provider performs a
symmetric decryption operation. Incorrect use of an
Initialization Vector ( IV) may produce incorrect decrypted
clear text. In this case the first block of decrypted text will
be observed as incorrect and the rest of the decrypted data will
be correct. Since the decrypted data was incorrect JSSE fails
with a bad record mac.

Problem conclusion

  • The IBMJCECCA provider's symmetric decryption operations were
updated to use the correct IV value at all times and produce the
correct decrypted clear text.
.
This APAR will be fixed in the following Java Releases:
   7 R1 SR4 FP5   (7.1.4.5)
   6    SR16 FP45 (6.0.16.45)
   7    SR10 FP5  (7.0.10.5)
   6 R1 SR8 FP45  (6.1.8.45)
.
Contact your IBM Product's Service Team for these Service
Refreshes and Fix Packs.
For those running stand-alone, information about the available
Service Refreshes and Fix Packs can be found at:
           https://www.ibm.com/developerworks/java/jdk/

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PI76235
    • 

  • Reported component name
    JAVA Z/OS 64
    • 

  • Reported component ID
    620700104
    • 

  • Reported release
    710
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2017-02-08
    • 

  • Closed date
    2017-02-08
    • 

  • Last modified date
    2017-03-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    JAVA Z/OS 64
    • 

  • Fixed component ID
    620700104
    • 



Applicable component levels


    

  • R710  PSY
       UP
    • 

  • R600  PSY
       UP
    • 

  • R700  PSY
       UP
    • 

  • R601  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"710","Edition":"","Line of Business":{"code":"LOB16","label":"Mainframe HW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"710","Edition":"","Line of Business":{"code":"","label":""}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            09 August 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback