APAR status
Closed as program error.
Error description
Error Message, as reported by customer: n/a Stack Trace, if applicable: Caused by: javax.net.ssl.SSLKeyException: RSA premaster secret error at com.ibm.jsse2.ab.<init>(ab.java:87) at com.ibm.jsse2.cb.a(cb.java:675) at com.ibm.jsse2.cb.a(cb.java:536) at com.ibm.jsse2.bb.t(bb.java:153) at com.ibm.jsse2.bb.a(bb.java:182) at com.ibm.jsse2.sc.a(sc.java:567) at com.ibm.jsse2.sc.h(sc.java:277) at com.ibm.jsse2.sc.a(sc.java:485) at com.ibm.jsse2.i.write(i.java:25) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.ja va:94) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:152 ) at java.io.DataOutputStream.flush(DataOutputStream.java:135) at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.jav a:242) ... 34 more Caused by: java.security.NoSuchAlgorithmException: IbmTls12RsaPremasterSecret KeyGenerator not available at javax.crypto.KeyGenerator.<init>(Unknown Source) at javax.crypto.KeyGenerator.getInstance(Unknown Source) at com.ibm.jsse2.nb.e(nb.java:126) at com.ibm.jsse2.ab.<init>(ab.java:31) ... 46 more Other Error Information, as reported by customer: N/A
Local fix
Set security property jdk.certpath.disabledAlgorithms DSA KeySize < 1024
Problem summary
Setting security property jdk.certpath.disabledAlgorithms with DSA keySize < 2048 causes javax.net.ssl.SSLKeyException: RSA premaster secret error ERROR DESCRIPTION: JSSE experienced the exception below, in spite of the fact that the IBMJCE crypto provider supports a KeyGenerator for the IbmTls12RsaPremasterSecret key type. Caused by: javax.net.ssl.SSLKeyException: RSA premaster secret error at com.ibm.jsse2.ab.<init>(ab.java:87) at com.ibm.jsse2.cb.a(cb.java:675) at com.ibm.jsse2.cb.a(cb.java:536) at com.ibm.jsse2.bb.t(bb.java:153) at com.ibm.jsse2.bb.a(bb.java:182) at com.ibm.jsse2.sc.a(sc.java:567) at com.ibm.jsse2.sc.h(sc.java:277) at com.ibm.jsse2.sc.a(sc.java:485) at com.ibm.jsse2.i.write(i.java:25) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.ja va:94) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:152 ) at java.io.DataOutputStream.flush(DataOutputStream.java:135) at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.jav a:242) ... 34 more Caused by: java.security.NoSuchAlgorithmException: IbmTls12RsaPremasterSecret KeyGenerator not available at javax.crypto.KeyGenerator.<init>(Unknown Source) at javax.crypto.KeyGenerator.getInstance(Unknown Source) at com.ibm.jsse2.nb.e(nb.java:126) at com.ibm.jsse2.ab.<init>(ab.java:31) ... 46 more This exception occurred when the "jdk.certpath.disabledAlgorithms" attribute within the java.security file was modified from this: jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \ RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 to this jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \ RSA keySize < 1024, DSA keySize < 2048, EC keySize < 224 Since all signed java security jars are signed with a DSA 1024 key, the change above had the effect of preventing the successful signature validation of signed jar files, such as the IBMJCE provider and its jurisdiction policy files, thereby making the IBMJCE provider's "IbmTls12RsaPremasterSecret KeyGenerator" unavailable. However, that still isn't the complete story. The CertPath com.ibm.security.cert.AlgorithmChecker class is indirectly called by the IBMJCE framework to determine whether a key or algorithm has been disabled by attributes within the java.security file before that key or algorithm is used. During the signature validation of a signed jar file, the AlgorithmChecker was indirectly being invoked to determine whether any of the keys or algorithms used in the signature had been disabled by the java.security file. It was learned that the AlgorithmChecker class was using the java.security "jdk.certpath.dsabledAlgorithms" attribute to learn which keys and algorithms had been disabled. However, the "jdk.certpath.disabledAlgorithms" was not intended for that purpose. The AlgorithmChecker class should have been using the java.security "jdk.jar.disabledAlgorithms" attribute instead.
Problem conclusion
The CertPath com.ibm.security.cert.AlgorithmChecker class has been modified so that when it is being called to validate jar signing keys or algorithms, it will ensure that the java.security "jdk.jar.disabledAlgorithms" attribute is used to determine which algorithms have been disabled. The associated CMVC defect is 117908. The associated RTC problem report is 139130. The associated APAR is IJ08687. The affected jar file is ibmpcertpathprovider.jar. The build level of this jar for the affected releases is "20180821". JVMs affected : Java 7.0 , Java 7.1 and Java 8.0 This fix was delivered for: 70 SR10 FP35, 7.1 SR4 FP35, and 80 SR5 FP25.
Temporary fix
Set security property jdk.certpath.disabledAlgorithms with DSA KeySize < 1024.
Comments
APAR Information
APAR number
IJ08687
Reported component name
JAVA SECURE SOC
Reported component ID
TIVSECJSS
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-08-21
Closed date
2018-08-29
Last modified date
2018-08-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
NONE 999
Fix information
Fixed component name
JAVA SECURE SOC
Fixed component ID
TIVSECJSS
Applicable component levels
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCZL3Z","label":"JSSE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"100","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
29 August 2018