IBM Support

IBM i Java Development Kit 8 64 & 32 bit VMs Fail with "Could not generate ECDHEMLKEM keypair" After IBM i Java Group PTF Apply

Flashes (Alerts)


Abstract

After applying the following IBM i Java Group PTF levels, IBM Java Development Kit (JDK) 8 64‑bit and 32‑bit VMs upgraded to SR8 FP55 may begin to fail with the error:
java.lang.RuntimeException: Could not generate ECDHEMLKEM keypair

Other IBM JDK versions (11, 17, 21) on IBM i are not affected—only Java 8 (64‑bit and 32‑bit) VMs.
This issue can also affect the IBM i Administration (ADMIN) server, Integrated Web Services (IWS), Integrated Web Application Server (IAS), WebSphere Application Server (Traditional and Liberty), Tomcat, and Web Query instances running on Java 8 SR8 FP55.

Affected IBM i Java Group PTF Levels Providing Java 8 SR8 FP55:
IBM i 7.6 - SF99965 level 4
IBM i 7.5 - SF99955 level 19
IBM i 7.4 - SF99665 level 31
IBM i 7.3 - SF99725 level 40

Content

If you have recently updated your IBM i Java Group PTF level and then suddenly began to experience issues with your Java 8 64‑bit or 32‑bit applications on IBM i 7.6, 7.5, 7.4, or 7.3, you will need to either download and apply the resolving PTF or implement one of the recommended workarounds to address the issue.
 
Affected IBM i Java Group PTF level causing the issue:
 
IBM i 7.6 - SF99965 level 4
IBM i 7.5 - SF99955 level 19
IBM i 7.4 - SF99665 level 31
IBM i 7.3 - SF99725 level 40
 
Example Java exceptions seen with Java 8 SR9 FP55:
 

Caused by: java.lang.RuntimeException: Could not generate ECDHEMLKEM keypair               
Caused by: java.security.NoSuchAlgorithmException: ML-KEM-768 KeyPairGenerator not available

 
 
Temporary Workaround
 
Until the resolving PTF is generally available, you may use the following temporary workarounds.
 
Workaround 1:
 

Temporarily disable the problematic X25519MLKEM768 TLSv1.3 namedGroup by customizing the JVM’s jdk.tls.namedGroups property to remove this value.

Note: The commands below extend to the right. Scroll horizontally to view and copy the full command.

STRQSH
touch -C 819 /QIBM/UserData/Java400/SystemDefault.properties
echo "jdk.tls.namedGroups=x25519,secp256r1,secp384r1,secp521r1,x448,ffdhe2048,ffdhe3072,ffdhe4096" >> /QIBM/UserData/Java400/SystemDefault.properties
F12
WRKLNK '/QIBM/UserData/Java400/SystemDefault.properties'
Option 2 to edit.
Verify the jdk.tls.namedGroups Java option exists correctly in the file.
Press F3 twice to save and exit.
Restart your Java 8 JVM job to pick up the change.
 
 
Workaround 2:
 

Force the JVM to use only TLSv1.2, as this protocol does not use the problematic TLSv1.3 X25519MLKEM768 namedGroup.
Add the following JVM option:

-Djdk.tls.client.protocols=TLSv1.2
 
 
Resolving PTF
More information will be provided here soon.
 
IBM is also recommending clients running critical Java applications on the IBM i perform a SAVLICPGM of their 5770JV1 LPP Options before an IBM i Java Group PTF update.  Once the update is complete, you can then perform another SAVLICPGM of your 5770JV1 LPP Options to a different save file.  If needed, you can then uninstall the specific 5770JV1 LPP Option and execute a RSTLICPGM to roll back to your previous Java SR FP level or roll forward to your new Java SR FP level.  This is handy when experiencing Java issues after a Java Group PTF level update and/or applying Java PTFs.
 
1) Before the IBM i Java Group PTF update, save all installed Java LPP options.

CRTSAVF QGPL/JV1BASE
CRTSAVF QGPL/JV1OPT16
CRTSAVF QGPL/JV1OPT17
CRTSAVF QGPL/JV1OPT20
etc.
 
SAVLICPGM LICPGM(5770JV1) DEV(*SAVF) OPTION(*BASE) SAVF(QGPL/JV1BASE)
SAVLICPGM LICPGM(5770JV1) DEV(*SAVF) OPTION(16) SAVF(QGPL/JV1OPT16)
SAVLICPGM LICPGM(5770JV1) DEV(*SAVF) OPTION(17) SAVF(QGPL/JV1OPT17)
SAVLICPGM LICPGM(5770JV1) DEV(*SAVF) OPTION(20) SAVF(QGPL/JV1OPT20)
etc.
 
2) Apply your IBM i Java Group PTF or Java PTFs to update the option's Service Release (SR) Fix Pack (FP) level.
 
3) Create new save files and save the LPPs again in case you want to "roll forward" after "rolling back".
 
CRTSAVF QGPL/JV1BASE_N
CRTSAVF QGPL/JV1OPT16_N
CRTSAVF QGPL/JV1OPT17_N
CRTSAVF QGPL/JV1OPT20_N
etc.
 
 
SAVLICPGM LICPGM(5770JV1) DEV(*SAVF) OPTION(*BASE) SAVF(QGPL/JV1BASE_N)
SAVLICPGM LICPGM(5770JV1) DEV(*SAVF) OPTION(16) SAVF(QGPL/JV1OPT16_N)
SAVLICPGM LICPGM(5770JV1) DEV(*SAVF) OPTION(17) SAVF(QGPL/JV1OPT17_N)
SAVLICPGM LICPGM(5770JV1) DEV(*SAVF) OPTION(20) SAVF(QGPL/JV1OPT20_N)
etc.
 
4) If you need to roll back or forth, you would simply uninstall the single JV1 option (except for *BASE - this would require uninstalling ALL JV1 Options to restore) and then restore the JV1 option(s) at the desired SR FP level from your JV1* save file(s).
 
To rollback to the original Java SR FP level from before the IBM i Java Group PTF update.

End all Java 8 64 bit VMs.
DLTLICPGM LICPGM(5770JV1) OPTION(17)
RSTLICPGM LICPGM(5770JV1) DEV(*SAVF) OPTION(17) SAVF(QGPL/JV1OPT17)
 
To roll forward to the new Java SR FP level from after the IBM i Java Group PTF update.

End all Java 8 64 bit VMs.
DLTLICPGM LICPGM(5770JV1) OPTION(17)
RSTLICPGM LICPGM(5770JV1) DEV(*SAVF) OPTION(17) SAVF(QGPL/JV1OPT17_N)

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHpAAM","label":"Java Development Kit-\u003EJDK 8"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0;7.4.0;7.5.0;7.6.0"}]

Document Information

Modified date:
22 January 2026

UID

ibm17257559

Page Feedback