Troubleshooting
Problem
Java applications running on the IBM i OS might encounter the "JCE is not installed properly", "JCE cannot authenticate the provider XX" and "xyz.jar is not signed by a trusted signer." error messages after upgrading to the following IBM i Java Group PTF level or newer.
The following IBM i Java Group PTF levels install 8.0 SR6 FP25.
Release 7.1 -- SF99572 level 44
Release 7.2 -- SF99716 level 31
Release 7.3 -- SF99725 level 21
Release 7.4 -- SF99665 level 10
Release 7.2 -- SF99716 level 31
Release 7.3 -- SF99725 level 21
Release 7.4 -- SF99665 level 10
The following IBM i Java Group PTF levels install 7.0 SR10 FP75 and 7.1 SR4 FP75.
Release 7.1 -- SF99572 level 43
Release 7.2 -- SF99716 level 30
Release 7.3 -- SF99725 level 20
Release 7.2 -- SF99716 level 30
Release 7.3 -- SF99725 level 20
Cause
A new Oracle JCE Code Signing CA was recently implemented in the IBM JDK to resolve APAR IJ26310.
https://www.ibm.com/support/pages/apar/IJ26310
https://www.ibm.com/support/pages/apar/IJ26310
8 SR6 FP25 (8.0.6.25)7 SR10 FP75 (7.0.10.75)7 R1 SR4 FP75 (7.1.4.75)Environment
IBM i OS; IBM JDK 7.0, 7.1, 8.0
Resolving The Problem
If you encounter this issue with a 3rd party JCE provider, like BouncyCastle, you will need to go to your security provider to obtain an updated JCE jar signed by the new Oracle JCE Code Signing CA.
The IBM JDK was updated to use the new Oracle JCE Code Signing CA as a security requirement. IBM considers this working-as-designed and recommends clients use the IBM JCE Security Provider to avoid experiencing this issue. The IBM JCE Security Provider is certified for use with the IBM JDK.
The client assumes all risk when implementing any 3rd party Java Security Provider in the IBM JDK. IBM reserves the right to make changes to improve the security of the JDK even if this negatively affects 3rd party JCE providers. It is the responsibility of the 3rd party security provider to be compatible with the IBM JDK if they choose to provide this support. JCE providers can request their JCE jar be signed with the new Oracle JCE Code Signing CA here: https://www.oracle.com/java/technologies/javase/getcodesigningcertificate.html.
If the software application cannot be updated to use a trusted security provider, the only other alternative is to rollback your Java SR FP to a previous level before the new Oracle JCE Code Signing CA was implemented in the IBM JDK.
NOTE: ALL JVM instances for the specific Java version and build level MUST be ended BEFORE removing these 5770JV1 PTFs immediately. You can use WRKJVMJOB, Option 5, to identify the current active JVMs on your IBM i server and their respective Java version and bit levels.
Here is some information on how to stop/start a few IBM-supplied JVM jobs.
Job QYPSJSVR
To stop this job, type ENDTCPSVR *MGTC.
To start this job, type STRTCPSVR *MGTC.
Job QSRVMON
To stop this job, type WRKSYSVAL QSFWERRLOG, press the Enter key and change it to *NOLOG.
To start this job, type WRKSYSVAL QSFWERRLOG, press the Enter key and change it to *LOG.
Jobs ADMIN, ADMIN1, ADMIN2, ADMIN3, ADMIN4, or ADMIN5 in the subsystem QHTTPSVR
To stop these jobs, type ENDTCPSVR *HTTP HTTPSVR(*ADMIN).
To start these jobs, type STRTCPSVR *HTTP HTTPSVR(*ADMIN).
Job QINVAMNSRV
To stop this job, type CALL PGM(QSYSDIR/QINAVMNSRV) PARM(*STOP) and press ENTER.
To start this job, start the ADMIN server using STRTCPSVR *HTTP HTTPSVR(*ADMIN).
https://www.ibm.com/support/pages/qinavmnsrv-job
Here is some information on how to stop/start a few IBM-supplied JVM jobs.
Job QYPSJSVR
To stop this job, type ENDTCPSVR *MGTC.
To start this job, type STRTCPSVR *MGTC.
Job QSRVMON
To stop this job, type WRKSYSVAL QSFWERRLOG, press the Enter key and change it to *NOLOG.
To start this job, type WRKSYSVAL QSFWERRLOG, press the Enter key and change it to *LOG.
Jobs ADMIN, ADMIN1, ADMIN2, ADMIN3, ADMIN4, or ADMIN5 in the subsystem QHTTPSVR
To stop these jobs, type ENDTCPSVR *HTTP HTTPSVR(*ADMIN).
To start these jobs, type STRTCPSVR *HTTP HTTPSVR(*ADMIN).
Job QINVAMNSRV
To stop this job, type CALL PGM(QSYSDIR/QINAVMNSRV) PARM(*STOP) and press ENTER.
To start this job, start the ADMIN server using STRTCPSVR *HTTP HTTPSVR(*ADMIN).
https://www.ibm.com/support/pages/qinavmnsrv-job
IBM JDK 8.0
You can rollback your Java SR FP level to SR6 FP20 by re-installing the 5770JV1 Option 16 and 17 LPPs and applying the SR6 FP20 5770JV1 PTFs AFTER ending all JDK 8.0 JVMs.
NOTE: If you rollback your 8.0 SR FP level to SR6 FP20, please review the IBM document, Installation of Java 8.0 SR6 FP20 on IBM i May Result in an "abort" Event Causing JVMs to Suddenly Terminate, which describes a known issue at SR6 FP20 and the additional PTF required to be applied to remediate this issue.
a. Uninstall the 5770JV1 Option 16 and 17 LPPs.
GO LICPGM Option 12
b. Reinstall the 5770JV1 Option 16 and 17 LPPs from the ESS downloaded media or the B_GROUPx_05 IBM i media disc.
GO LICPGM Option 11
c. Reinstall the following 5770JV1 PTFs for JDK 8.0 32 bit and 64 bit to install SR6 FP20, which is the SR FP level immediately before the Oracle JCE Signing CA change was made.
IBM i 7.4:
JDK 8.0 32 bit
5770JV1-SI74773
5770JV1-SI74757
JDK 8.0 32 bit
5770JV1-SI74773
5770JV1-SI74757
5770JV1-SI75722
JDK 8.0 64 bit
5770JV1-SI74786
5770JV1-SI74758
5770JV1-SI75596
IBM i 7.3:
JDK 8.0 32 bit
5770JV1-SI74772
5770JV1-SI74742
JDK 8.0 32 bit
5770JV1-SI74772
5770JV1-SI74742
5770JV1-SI75145
5770JV1-SI75719
JDK 8.0 64 bit
5770JV1-SI74785
5770JV1-SI74746
5770JV1-SI75595
5770JV1-SI75150
IBM i 7.2:
JDK 8.0 32 bit
5770JV1-SI74771
5770JV1-SI74774
JDK 8.0 32 bit
5770JV1-SI74771
5770JV1-SI74774
5770JV1-SI75717
5770JV1-SI75147
JDK 8.0 64 bit
5770JV1-SI74775
5770JV1-SI74784
5770JV1-SI75711
5770JV1-SI75149
IBM i 7.1:
JDK 8.0 32 bit
5761JV1-SI74770
5761JV1-SI74776
JDK 8.0 32 bit
5761JV1-SI74770
5761JV1-SI74776
5761JV1-SI75724
JDK 8.0 64 bit
5761JV1-SI74778
5761JV1-SI74783
5761JV1-SI75723
IBM JDK 7.1/7.0
You can rollback to Java 7.1 SR4 FP70 and Java 7.0 SR10 FP70 by re-installing the 5770JV1 Option 14 and 15 LPPs and applying the SR4 FP70/SR10 FP70 5770JV1 PTFs AFTER ending all JDK 7.x JVMs.
a. Uninstall the 5770JV1 Option 14 and 15 LPPs.
GO LICPGM Option 12
b. Reinstall the 5770JV1 Option 14 and 15 LPPs from the ESS downloaded media or the B_GROUPx_05 IBM i media disc.
GO LICPGM Option 11
c. Reinstall the following 5770JV1 PTFs for JDK 7.1/7.0 32 bit and 64 bit to install 7.1 SR4 FP70 and 7.0 SR10 FP70, which is the SR FP level immediately before the Oracle JCE Signing CA change was made.
IBM i 7.3:
JDK 7.1 32bit
5770JV1-SI73964
5770JV1-SI73981
JDK 7.1 64bit
5770JV1-SI73966
5770JV1-SI73982
JDK 7.0 32bit
5770JV1-SI73960
5770JV1-SI73979
JDK 7.0 64bit
5770JV1-SI73962
5770JV1-SI73980
IBM i 7.2:
JDK 7.1 32bit
5770JV1-SI73967
5770JV1-SI73977
JDK 7.1 64bit
5770JV1-SI73968
5770JV1-SI73978
JDK 7.0 32bit
5770JV1-SI73967
5770JV1-SI73975
JDK 7.0 64bit
5770JV1-SI73968
5770JV1-SI73976
IBM i 7.1:
JDK 7.1 32bit
5770JV1-SI73963
5770JV1-SI73973
JDK 7.1 64bit
5770JV1-SI73965
5770JV1-SI73974
JDK 7.0 32bit
5770JV1-SI73971
5770JV1-SI73959
JDK 7.0 64bit
5770JV1-SI73972
5770JV1-SI73961
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CH5AAM","label":"Java Development Kit"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
17 February 2022
UID
ibm16448572