IZ66903: HMAC-SHA256 ASSOC TYPE FAILS WITH NO-ENCRYPTION SESSION TYPE

IBM Tivoli Federated Identity Manager 6.2.0 fix pack 3 (6.2.0-TIV-TFIM-FP0003)
Tivoli Federated Identity Manager 6.2.0 Fixpack 8 (6.2.0-TIV-TFIM-FP0008)
IBM Tivoli Federated Identity Manager Business Gateway v6.2.0, Fix Pack 8, 6.2.0-TIV-TFIMBG-FP0008
Tivoli Federated Identity Manager 6.2.0 Fixpack 9 (6.2.0-TIV-TFIM-FP0009)
Tivoli Fed Id Mgr Business Gateway v6.2.0, Fix Pack 9, 6.2.0-TIV-TFIMBG-FP0009
Tivoli Federated Identity Manager 6.2.0 Fixpack 13 (6.2.0-TIV-TFIM-FP0013)
Tivoli Fed Id Mgr Business Gateway v6.2.0, Fix Pack 13, 6.2.0-TIV-TFIMBG-FP0013

APAR status

• Closed as program error.

Error description

• When an OpenID relying-party requests an association from a TFIM
  OP with the no-encryption session type and the HMAC-SHA256
  association type, TFIM incorrectly generates a 20 byte random
  key for the shared secret, when for HMAC-SHA256 this should be a
  32 byte key.
  

Local fix

• Use the DH-SHA256 session type.
  

Problem summary

• The plaintext key type was hard-coded to return a 20-byte
  key rather than check the association type. For HMAC-SHA256
  the key length needs to be 32 bytes.
  
  CMVC Defects:
  
  IZ66903
  IZ66903.1
  

Problem conclusion

• The fix for this APAR will be contained in the following
  maintenance packages:
  | fix pack | 6.2.0-TIV-TFIM-FP0003 |
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  TIV FED ID MGR

• Fixed component ID

  5724L7300

Applicable component levels

• R620 PSY

     UP