IBM Support

IJ54004: ALLOW CA ROOT CERTS WITH NON-CRITICAL BASICCONSTRAINTS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When the CA root cert does not have critical
    basicConstraints, which means it does not conform to RFC
    5280,  we can encounter error as below when communicate
    with encryption key server.
        2025-03-18_10:03:33.768-0700: [W] The key server
    Server1 (port 5696) had a failure and will be quarantined
    for 1 minute(s).
        2025-03-18_10:03:33.768-0700: [E] Unable to create
    encrypted file somefile (inode 12288, fileset 0, file
    system gpfs1).
        2025-03-18_10:03:33.768-0700: [E] Key
    '86cc057de6e34db6b5a866d121af214d988de1ff4bfa4b50a9dca9c0
    744e1236:ctm_rkm' could not be fetched. Bad certificate.
    
    Reported in: 5.2.2
    Local Fix:
    

Local fix

Problem summary

  • The file system encryption functionality requires the CA
    certificates to be compliant with RFC 5280 specifications, which
    require that CA certificates' basicContraints  are marked as
    critical.  Consequently, Storage Scale does not allow the use of
    CA certificates that don't have basicContraints marked as
    critical.
    

Problem conclusion

  • This problem is fixed in 5.1.9.9
    To see all Spectrum Scale APARs and their respective
    Fix solutions refer to page: 
    https://public.dhe.ibm.com/storage/spectrumscale/spectrum_scale
    _apars.html
    
    Benefits of the solution:
    This fix allows the file system encryption functionality to use
    KMIP client and server certificates that are signed by CA
    certificates with non-critical basicConstraints in a limited
    manner.  The limit is imposed by the use of regular setup (as
    opposed to simplified setup) and the use of openssl to generate
    the KMIP client key store.
    
    Work Around:
    Use KMIP client and server certificates that are signed by CA
    certificates with basicConstraints marked as critical, in
    conformance to RFC 5280.
    
    Problem trigger:
    The use of KMIP client and server certificates signed by CA
    certificates that have non-critical basicConstraints.
    
    Symptom:
    Failure to establish secure connections to the KMIP key server
    and retrieve the master encryption key required by the file
    system encryption functionality.
    
    Platforms affected:
    ALL
    
    Functional Area affected:
    GPFS Core
    
    Customer Impact:
    High Importance
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ54004

  • Reported component name

    SPEC SCALE DME

  • Reported component ID

    5737F34AP

  • Reported release

    522

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2025-03-20

  • Closed date

    2025-04-01

  • Last modified date

    2025-04-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    SPEC SCALE DME

  • Fixed component ID

    5737F34AP

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"STXKQY"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"522","Line of Business":{"code":"LOB69","label":"Storage TPS"}}]

Document Information

Modified date:
01 April 2025