IBM Support

IBM i Java Development Kit 8 64 & 32 bit VMs Fail with "Could not generate ECDHEMLKEM keypair" After IBM i Java Group PTF Apply

Flashes (Alerts)


Abstract

After applying the following IBM i Java Group PTF levels, IBM Java Development Kit (JDK) 8 64‑bit and 32‑bit VMs upgraded to SR8 FP55 may begin to fail with the error:
java.lang.RuntimeException: Could not generate ECDHEMLKEM keypair

Other IBM JDK versions (11, 17, 21) on IBM i are not affected—only Java 8 (64‑bit and 32‑bit) VMs.
This issue can also affect the IBM i Administration (ADMIN) server, Integrated Web Services (IWS), Integrated Web Application Server (IAS), WebSphere Application Server (Traditional and Liberty), Tomcat, and Web Query instances running on Java 8 SR8 FP55.

Affected IBM i Java Group PTF Levels Providing Java 8 SR8 FP55:
IBM i 7.6 - SF99965 level 4
IBM i 7.5 - SF99955 level 19
IBM i 7.4 - SF99665 level 31
IBM i 7.3 - SF99725 level 40

Content

If you have recently updated your IBM i Java Group PTF level and then suddenly began to experience issues with your Java 8 64‑bit or 32‑bit applications on IBM i 7.6, 7.5, 7.4, or 7.3, you will need to either download and apply the resolving PTF or implement one of the recommended workarounds to address the issue.
 
Affected IBM i Java Group PTF level causing the issue:
 
IBM i 7.6 - SF99965 level 4
IBM i 7.5 - SF99955 level 19
IBM i 7.4 - SF99665 level 31
IBM i 7.3 - SF99725 level 40
 
Example Java exceptions seen with Java 8 SR9 FP55:
 

Caused by: java.lang.RuntimeException: Could not generate ECDHEMLKEM keypair               
Caused by: java.security.NoSuchAlgorithmException: ML-KEM-768 KeyPairGenerator not available

 
Resolving PTF
Update: 3/13/2026

IBM APARs IJ57463: THE IBMJCEPLUS PROVIDER FAILED TO GENERATE AN ECDHEMLKEM KEYPAIR ON THE IBMI PLATFORM & IJ57394: THE IBMJCEPLUS PROVIDER FAILED TO GENERATE AN ECDHEMLKEM KEYPAIR ON THE IBMI PLATFORM are now closed.  The fix will be delivered in the IBM JDK 8 SR8 FP65 release for IBM i OS targeted for 2Q 2026 release.

The IBMJCEPlus version introduced with the IBM i HTTP Group Levels (7.3 - 40 / 7.4 - 31 / 7.5 - 19 / 7.6 - 4) added support for the ECDHEMLKEM algorithm; however, this support included a platform‑level runtime block on IBM i. IBMJCEPlus is a multi‑platform JCE implementation, but on IBM i the algorithm was permitted in the JVM configuration and was not explicitly blocked from being negotiated when requested by a peer system. As a result, the TLS negotiation could begin, but ultimately failed because the algorithm was not actually available to the IBM i JDK at runtime.

The PTFs listed below update the configuration to ensure that negotiation for this algorithm is never attempted on IBM i. A future IBMJCEPlus version—delivered with Java 8 SR8 FP65—will fully enable IBM i to use this algorithm. When that version becomes available, the current configuration block will be removed and the algorithm will be allowed for default use.
 
 
Update: 2/17/2026
 
IBM i 7.5 and 7.4 OS GA PTFs are available for IBM JDK 8.0 32 & 64 bit LPPs.  These PTFs permanently disable the the problematic TLSv1.3 X25519MLKEM768 namedGroup via the default java.security file to resolve the issue for non-WebSphere Application Server JVMs. After applying the PTF, the temporary workaround can be removed if you do not run WebSphere Application Server JVMs on your IBM i server.
 

IBM i 7.5 - 5770JV1

  • JDK 8 32‑bit: SJ08633
  • JDK 8 64‑bit: SJ08630
IBM i 7.4 - 5770JV1

  • JDK 8 32‑bit: SJ08632

  • JDK 8 64‑bit: SJ08631
     

IBM i 5770JV1 PTFs can be immediately temporarily applied.  Restart the IBM i JVM job to pick up the change.

NOTE:  This PTF does not fully resolve IBM WebSphere Application Server TLSv1.3 connection issues.  IBM recommends all WebSphere on IBM i users apply the specified Java option, jdk.tls.namedGroups="x25519,secp256r1,secp384r1,secp521r1,x448,ffdhe2048,ffdhe3072,ffdhe4096",  as a workaround using any of these methods.

  • Add the jdk.tls.namedGroups="x25519,secp256r1,secp384r1,secp521r1,x448,ffdhe2048,ffdhe3072,ffdhe4096" custom property under your WebSphere Application Server's JVM Process Definition's Custom Properties.
    • Click Servers > Server Types, and either WebSphere application servers > server_name or WebSphere proxy servers > server_name.  Then, under Server Infrastructure, click Java and process management > Process definition > Java virtual machine > Custom properties.
  • Add the jdk.tls.namedGroups="x25519,secp256r1,secp384r1,secp521r1,x448,ffdhe2048,ffdhe3072,ffdhe4096" Java option to your /home/QEJBSVR/SystemDefault.properties (WAS user scope) or /QIBM/UserData/Java400/SystemDefault.properties (IBM i OS scope) file.
 
 
Temporary Workaround
 
Until the resolving PTF is generally available, you may use the following temporary workarounds.
 
Workaround 1:
 

Temporarily disable the problematic X25519MLKEM768 TLSv1.3 namedGroup by customizing the JVM’s jdk.tls.namedGroups property to remove this value.

Note: The commands below extend to the right. Scroll horizontally to view and copy the full command.

STRQSH
touch -C 819 /QIBM/UserData/Java400/SystemDefault.properties
echo "jdk.tls.namedGroups=x25519,secp256r1,secp384r1,secp521r1,x448,ffdhe2048,ffdhe3072,ffdhe4096" >> /QIBM/UserData/Java400/SystemDefault.properties
F12
WRKLNK '/QIBM/UserData/Java400/SystemDefault.properties'
Option 2 to edit.
Verify the jdk.tls.namedGroups Java option exists correctly in the file.
Press F3 twice to save and exit.
Restart your Java 8 JVM job to pick up the change.
 
 
Workaround 2:
 

Force the JVM to use only TLSv1.2, as this protocol does not use the problematic TLSv1.3 X25519MLKEM768 namedGroup.
Add the following JVM option:

-Djdk.tls.client.protocols=TLSv1.2

 

IBM is also recommending clients running critical Java applications on the IBM i perform a SAVLICPGM of their 5770JV1 LPP Options before an IBM i Java Group PTF update.  Once the update is complete, you can then perform another SAVLICPGM of your 5770JV1 LPP Options to a different save file.  If needed, you can then uninstall the specific 5770JV1 LPP Option and execute a RSTLICPGM to roll back to your previous Java SR FP level or roll forward to your new Java SR FP level.  This is handy when experiencing Java issues after a Java Group PTF level update and/or applying Java PTFs.
 
1) Before the IBM i Java Group PTF update, save all installed Java LPP options.

CRTSAVF QGPL/JV1BASE
CRTSAVF QGPL/JV1OPT16
CRTSAVF QGPL/JV1OPT17
CRTSAVF QGPL/JV1OPT20
etc.
 
SAVLICPGM LICPGM(5770JV1) DEV(*SAVF) OPTION(*BASE) SAVF(QGPL/JV1BASE)
SAVLICPGM LICPGM(5770JV1) DEV(*SAVF) OPTION(16) SAVF(QGPL/JV1OPT16)
SAVLICPGM LICPGM(5770JV1) DEV(*SAVF) OPTION(17) SAVF(QGPL/JV1OPT17)
SAVLICPGM LICPGM(5770JV1) DEV(*SAVF) OPTION(20) SAVF(QGPL/JV1OPT20)
etc.
 
2) Apply your IBM i Java Group PTF or Java PTFs to update the option's Service Release (SR) Fix Pack (FP) level.
 
3) Create new save files and save the LPPs again in case you want to "roll forward" after "rolling back".
 
CRTSAVF QGPL/JV1BASE_N
CRTSAVF QGPL/JV1OPT16_N
CRTSAVF QGPL/JV1OPT17_N
CRTSAVF QGPL/JV1OPT20_N
etc.
 
 
SAVLICPGM LICPGM(5770JV1) DEV(*SAVF) OPTION(*BASE) SAVF(QGPL/JV1BASE_N)
SAVLICPGM LICPGM(5770JV1) DEV(*SAVF) OPTION(16) SAVF(QGPL/JV1OPT16_N)
SAVLICPGM LICPGM(5770JV1) DEV(*SAVF) OPTION(17) SAVF(QGPL/JV1OPT17_N)
SAVLICPGM LICPGM(5770JV1) DEV(*SAVF) OPTION(20) SAVF(QGPL/JV1OPT20_N)
etc.
 
4) If you need to roll back or forth, you would simply uninstall the single JV1 option (except for *BASE - this would require uninstalling ALL JV1 Options to restore) and then restore the JV1 option(s) at the desired SR FP level from your JV1* save file(s).
 
To rollback to the original Java SR FP level from before the IBM i Java Group PTF update.

End all Java 8 64 bit VMs.
DLTLICPGM LICPGM(5770JV1) OPTION(17)
RSTLICPGM LICPGM(5770JV1) DEV(*SAVF) OPTION(17) SAVF(QGPL/JV1OPT17)
 
To roll forward to the new Java SR FP level from after the IBM i Java Group PTF update.

End all Java 8 64 bit VMs.
DLTLICPGM LICPGM(5770JV1) OPTION(17)
RSTLICPGM LICPGM(5770JV1) DEV(*SAVF) OPTION(17) SAVF(QGPL/JV1OPT17_N)

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHpAAM","label":"Java Development Kit-\u003EJDK 8"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0;7.4.0;7.5.0;7.6.0"}]

Document Information

Modified date:
13 March 2026

UID

ibm17257559

Page Feedback