IBM Support

IJ03801: ISSUE WITH SAME DN CERTS, IKEYMAN GUI ERROR WITH STASH, JKS CHAIN ISSUE AND JVM ARGUMENT PARSE ISSUE WITH IKEYMAN

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: 1. Issues with same DN certs
Warning: Validation failed: Missing intermediate or root
certificate.
2. iKeyman error
An internal exception has occurred:
<OSB>Password<CSB>
MISSING_PARAMETER
.
Stack Trace: 1. Issues with same DN certs
N/A
2. iKeyman GUI error
com.ibm.gsk.ikeyman.error.InternalKeyManagerException
at
com.ibm.gsk.ikeyman.command.CommandParameters.getValue(CommandPa
rameters.java)
at
com.ibm.gsk.ikeyman.command.CommandParameters.getPassword(Comman
dParameters.java)
at
com.ibm.gsk.ikeyman.command.CommandFactory$CreateDbCommand.run(C
ommandFactory.java)
at com.ibm.gsk.ikeyman.command.Command.invoke(Command.java)
at
com.ibm.gsk.ikeyman.command.CommandFactory$CompoundCommand.run(C
ommandFactory.java)
at com.ibm.gsk.ikeyman.command.Command.invoke(Command.java)
at
com.ibm.gsk.ikeyman.command.ControlObjectFactory$ChoiceCommand.i
nvoke(ControlObjectFactory.java)
.

Local fix

  • 1. Issue with same DN certs
Remove the certs with same DN name in the Keystore
2. iKeyman GUI error
This problem can be reproduced only when the default password
stashing state is enabled via properties i.e
DEFAULT_PASSWORD_STASHING_STATE=true. So, as a
workaround, we can disable the default password stashing state
to false in properties and enable them via iKeyman GUI  i.e. to
stash password via iKeyman GUI
tick the checkbox "stash password to file" that appears below
password in Password prompt.
3. JKS Chain issue
Since the JKS Chain issue during import happens only when JKS is
the target keystore we can import it to a different target
keystore PKCS12 or CMS and convert it back again to JKS
4. JVM argument parse issue with iKeyman
Parse -Djava.security.properties=/tmp/java.security.append
as Java arguments instead of iKeyman.

Problem summary

  • 1. Issue with same DN certs
When the keystore contains more than one set of CA signer
certificates with exact same Issuer/Subject DN, iKeyman throws
"Missing Intermediate or Root Certificate"
error. The reason is iKeyman builds the certificate chain based
on the Issuer and Subject Distinguished Name (DN)
and thus the certificate path validation fails.
2. iKeyman GUI error
This problem only occurs when the default password stashing
state is enabled via properties i.e
DEFAULT_PASSWORD_STASHING_STATE=true and user attempts to create
a PKCS12 Keystore (via) iKeyman GUI
3. JKS Chain issue
During import of chained certificate, in case of JKS target
keystore only the personal certificate gets imported. The
expected behavior is that the entire chain must be imported.
4. JVM argument parse issue with iKeyman
-Djava.security.properties passed to jre/bin/ikeycmd is ignored

Problem conclusion

  • 1. Issue with same DN certs
iKeyman is updated to build the certificate chain based on
certificate signature.
2. iKeyman GUI error
This is a bug in iKeyman code that was introduced in iKeyman
version 8.0.412 as part of more secured stash file format and is
fixed in this release.
3. JKS Chain issue
Additional functional needed in iKeyman to import the entire
chain of certificate for JKS target keystore.
4. JVM argument parse issue with iKeyman
This is a bug in iKeyman code that was introduced in iKeyman
version 8.0.415 and is fixed in this release. The problem is
iKeyman calls Security.getProvider() list before parsing the
command-line arguments where in the argument the security
properties file is updated.
.
This APAR will be fixed in the following Java Releases:
   8    SR5 FP10  (8.0.5.10)
   7    SR10 FP20 (7.0.10.20)
   6    SR16 FP60 (6.0.16.60)
   6 R1 SR8 FP60  (6.1.8.60)
   7 R1 SR4 FP20  (7.1.4.20)
.
Contact your IBM Product's Service Team for these Service
Refreshes and Fix Packs.
For those running stand-alone, information about the available
Service Refreshes and Fix Packs can be found at:
           https://www.ibm.com/developerworks/java/jdk/

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IJ03801
    • 

  • Reported component name
    SECURITY
    • 

  • Reported component ID
    620700125
    • 

  • Reported release
    270
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2018-01-30
    • 

  • Closed date
    2018-02-05
    • 

  • Last modified date
    2018-02-08
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    SECURITY
    • 

  • Fixed component ID
    620700125
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            07 December 2020
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback