APAR status
Closed as program error.
Error description
Generating an RSA KeyPair using one provider (IBMJCEPlusFIPS) and passing the generated RSA KeyPair to a second provider (IBMJCEPlus) for crypto operation results in segmentation fault. The providers should throw an exception when mixing of IBMJCEPlus and IBMJCEPlusFIPS providers occur. Java stack trace: at com/ibm/crypto/plus/provider/icc/NativeInterface.RSACIPHER_ public_encrypt(NativeMethod) at com/ibm/crypto/plus/provider/icc/RSACipher.publicEncrypt(RS ACipher.java:31) (entered lock: com/ibm/crypto/plus/provider/icc/RSACipher@0x00000007FCA9C430, entry count: 1) at com/ibm/crypto/plus/provider/RSA.engineDoFinal(RSA.java:246) at com/ibm/crypto/plus/provider/RSA.engineDoFinal(RSA.java:175) at javax/crypto/Cipher.doFinal(Bytecode PC:35) Other information: The issue was found in Java 8 SR8 FP20 or later. The provider list in JRE_HOME\lib\security\java.security has been modified as follows: security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS security.provider.3=com.ibm.crypto.plus.provider.IBMJCEPlus security.provider.4=com.ibm.crypto.provider.IBMJCE Starting in IBM Java 8 SR8 FP20, to fix Timing Oracle in RSA Decryption CVE-202333850 vulnerability, the RSA encryption and decryption support has been removed from the IBMJCEPlusFIPS provider for FIPS 140-2. This restriction will continue to be enforced by IBMJCEPlusFIPS mode.
Local fix
Work around: To achieve FIPS compliance, it is required that applications use other supported cipher algorithms like AES in FIPS mode.
Problem summary
Using public-private key pairs across providers such as keys generated with IBMJCEPlus used with IBMJCEPlusFIPS or vice versa can lead to segmentation faults. ERROR DESCRIPTION: JVM Crashed due to context mixing of IBMJCEPlus and IBMJCEPlusFIPS provider.
Problem conclusion
The JVM has been updated to throw an InvalidKeyException when key pairs generated with IBMJCEPlus are used with IBMJCEPlusFIPS. Conversely, when key pairs generated by IBMJCEPlusFIPS are used with IBMJCEPlus, the JVM performs the necessary key transformation to prevent segmentation faults. Updated algorithms: RSA, DSA, ECDSA, DH, EdDSA. A fix is made to IBMJCEPlus provider The associated Hursley RTC Problem Report is 153107 The associated Austin git defect is IBMJCEPlus #762 The associated Austin APAR is IJ53002 JVMs affected: Java 8 The fix was delivered for Java 8 SR8 FP60 The affected jar is "ibmjceplus.jar". The build level of this jar for the affected release is: FIPS140-2: 8.0 build_20251031-548 FIPS140-3: 8.0 build_20251031-549
Temporary fix
Comments
APAR Information
APAR number
IJ53002
Reported component name
TIV JAVA CRYPTO
Reported component ID
TIVSECJCE
Reported release
600
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2024-11-06
Closed date
2025-11-19
Last modified date
2025-11-19
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TIV JAVA CRYPTO
Fixed component ID
TIVSECJCE
Applicable component levels
[{"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSWKFH","label":"Tivoli Components - Java Security"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"600"}]
Document Information
Modified date:
19 November 2025