IBM Support

IJ54004: ALLOW CA ROOT CERTS WITH NON-CRITICAL BASICCONSTRAINTS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When the CA root cert does not have critical
basicConstraints, which means it does not conform to RFC
5280,  we can encounter error as below when communicate
with encryption key server.
    2025-03-18_10:03:33.768-0700: [W] The key server
Server1 (port 5696) had a failure and will be quarantined
for 1 minute(s).
    2025-03-18_10:03:33.768-0700: [E] Unable to create
encrypted file somefile (inode 12288, fileset 0, file
system gpfs1).
    2025-03-18_10:03:33.768-0700: [E] Key
'86cc057de6e34db6b5a866d121af214d988de1ff4bfa4b50a9dca9c0
744e1236:ctm_rkm' could not be fetched. Bad certificate.

Reported in: 5.2.2
Local Fix:

Local fix

  • 



Problem summary


    

  • The file system encryption functionality requires the CA
certificates to be compliant with RFC 5280 specifications, which
require that CA certificates' basicContraints  are marked as
critical.  Consequently, Storage Scale does not allow the use of
CA certificates that don't have basicContraints marked as
critical.

    



Problem conclusion


    

  • This problem is fixed in 5.1.9.9
To see all Spectrum Scale APARs and their respective
Fix solutions refer to page: 
https://public.dhe.ibm.com/storage/spectrumscale/spectrum_scale
_apars.html

Benefits of the solution:
This fix allows the file system encryption functionality to use
KMIP client and server certificates that are signed by CA
certificates with non-critical basicConstraints in a limited
manner.  The limit is imposed by the use of regular setup (as
opposed to simplified setup) and the use of openssl to generate
the KMIP client key store.

Work Around:
Use KMIP client and server certificates that are signed by CA
certificates with basicConstraints marked as critical, in
conformance to RFC 5280.

Problem trigger:
The use of KMIP client and server certificates signed by CA
certificates that have non-critical basicConstraints.

Symptom:
Failure to establish secure connections to the KMIP key server
and retrieve the master encryption key required by the file
system encryption functionality.

Platforms affected:
ALL

Functional Area affected:
GPFS Core

Customer Impact:
High Importance

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IJ54004
    • 

  • Reported component name
    SPEC SCALE DME
    • 

  • Reported component ID
    5737F34AP
    • 

  • Reported release
    522
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2025-03-20
    • 

  • Closed date
    2025-04-01
    • 

  • Last modified date
    2025-04-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    SPEC SCALE DME
    • 

  • Fixed component ID
    5737F34AP
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"STXKQY"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"522","Line of Business":{"code":"LOB69","label":"Storage TPS"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            01 April 2025
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback