APAR status
Closed as program error.
Error description
Error Message: java.security.NoSuchProviderException: JCE cannot authenticate the provider IBMJCE . Stack Trace: java.security.NoSuchProviderException: JCE cannot authenticate the provider IBMJCE at javax.crypto.b.a(Unknown Source) at javax.crypto.SecretKeyFactory.getInstance(Unknown Source) at com.ibm.ws.crypto.ltpakeyutil.LTPACrypto.constructSecretKey(LTPA Crypto.java:589) at com.ibm.ws.crypto.ltpakeyutil.LTPACrypto.decrypt(LTPACrypto.java :658) at com.ibm.ws.crypto.ltpakeyutil.KeyEncryptor.decrypt(KeyEncryptor. java:49) at com.ibm.ws.security.token.ltpa.internal.LTPAKeyInfoManager.prepa reLTPAKeyInfo(LTPAKeyInfoManager.java:136) at com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreateTask.getPre paredLtpaKeyInfoManager(LTPAKeyCreateTask.java:51) at com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreateTask.create RequiredCollaborators(LTPAKeyCreateTask.java:85) at com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreateTask.run(LT PAKeyCreateTask.java:95) at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrappe r.run(ExecutorServiceImpl.java:239) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec utor.java:1160) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe cutor.java:635) at java.lang.Thread.run(Thread.java:818) Caused by: java.util.jar.JarException: file:/opt/tivoli/tsm/ui/jre/lib/ext/ibmjceprovider.jar is not signed by a trusted signer. at javax.crypto.a.a(Unknown Source) at javax.crypto.a.a(Unknown Source) at javax.crypto.a.a(Unknown Source) at javax.crypto.b.b(Unknown Source) at javax.crypto.b.a(Unknown Source) ... 13 more . Security for the webserver is set in its jvm with: -Djava.security.properties=oc.security which contains line to disable SHA1 for cert paths: jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 256, DSS
Local fix
Problem summary
The CertPath AlgorithmChecker class is mistakenly using the java.security attribute "jdk.certpath.disabledAlgorithms" to filter the algorithms that can be used for signing jar files. The java.security attribute "jdk.jar.disabledAlgorithms" was created for this purpose and must be used instead.
Problem conclusion
The CertPath AlgorithmChecker class has been modified to ensure that the java.security attribute "jdk.jar.disabledAlgorithms" is used to filter the algorithms that can be used for signing jar files. A fix is made to ibmcertpathprovider.jar The associated Hursley RTC Problem Report is 142822 The associated Austin defect is certpath Issue-#10 (8.0) The associated Austin APAR is IJ21540 JVMs affected: Java 8 The fix was delivered for Java 8 SR6FP5 The affected jar is "ibmcertpathprovider.jar". The build level of this jar for the affected releases is Build-Level: 20191213-47 . This APAR will be fixed in the following Java Releases: 8 SR6 FP5 (8.0.6.5) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IJ21616
Reported component name
SECURITY
Reported component ID
620700125
Reported release
270
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-12-13
Closed date
2020-01-07
Last modified date
2020-01-07
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020