APAR status
Closed as program error.
Error description
Error Message: javax.crypto.AEADBadTagException: ICC_AES_GCM_En/DecryptFinal failed . Stack Trace: javax.net.ssl.SSLException: javax.crypto.AEADBadTagException: ICC_AES_GCM_En/DecryptFinal failed at com.ibm.jsse2.f.a(f.java:52) at com.ibm.jsse2.bf.a(bf.java:49) at com.ibm.jsse2.bf.a(bf.java:161) at com.ibm.jsse2.bf.a(bf.java:153) at com.ibm.jsse2.a4.a(a4.java:47) at com.ibm.jsse2.bo.b(bo.java:241) at com.ibm.jsse2.bo.f(bo.java:491) at com.ibm.jsse2.bo.a(bo.java:132) at com.ibm.jsse2.bo.startHandshake(bo.java:539) at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:160) at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:63) at com.ibm.net.ssl.www2.protocol.https.b.connect(b.java:43) .
Local fix
Apply any one of the following options. 1. Disable the PQC hybrid key exchange by overriding the default value using the following system property. System property name: jdk.tls.namedGroups Property value: "x25519,secp256r1,secp384r1,secp521r1,x448,ffdhe2048,ffdhe3072,f fdhe4096,ffdhe6144,ffdhe8192" 2. Append the following value to the jdk.tls.disabledAlgorithms property in the java.security file located at: <JAVA_HOME>\jre\lib\security\java.security value: X25519MLKEM768, SecP256r1MLKEM768, SecP384r1MLKEM1024
Problem summary
A build failure occurred when compiling the Java application with Java 8.0.8.55 and Maven 3.9.11 when TLS 1.3 and PQC hybrid key agreements were enabled, resulting in an AEADBadTagException: ICC_AES_GCM_En/DecryptFinal
Problem conclusion
The JVM has been updated to correctly handle PQC hybrid key agreements in TLS 1.3 when running in a multi-threaded environment. GIT issues: JSSE: 392 RTC problem report: 153357 The associated Austin APAR is IJ56786 The affected files: ibmjsseprovider2.jar ibmjsseprovider2.jar build dates: Build-Date:20251125 Build: 8.0 build_20251125--570 The fixes were delivered for: Java 8.0 SR8 FP60 . This APAR will be fixed in the following Releases: . IBM Semeru Runtimes IBM SDK, Java Technology Edition 8 SR8 FP60 (8.0.8.60) . Downloads and supplementary documentation can be found at the following locations: - For non z/OS operating systems: - IBM Semeru Runtimes, Version 11 and later https://www.ibm.com/semeru-runtimes/downloads/ - IBM SDK, Java Technology Edition, Version 8 https://www.ibm.com/support/pages/java-sdk-downloads/ - For the z/OS operating system: - Java SDK Products on z/OS https://www.ibm.com/support/pages/java-sdk-products-zos
Temporary fix
Comments
APAR Information
APAR number
IJ56875
Reported component name
SECURITY
Reported component ID
620700125
Reported release
270
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2025-12-03
Closed date
2025-12-05
Last modified date
2025-12-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]
Document Information
Modified date:
05 December 2025