APAR status
Closed as program error.
Error description
Error Message: javax.crypto.AEADBadTagException: Tag mismatch! . Stack Trace: The javax.crypto.AEADBadTagException will be thrown from different places depending on the security provider being used: IBMJCE: javax.crypto.AEADBadTagException: Tag mismatch! at com.ibm.crypto.provider.aJ.c(Unknown Source) at com.ibm.crypto.provider.AESGCMCipher.engineDoFinal(Unknown Source) <common component> IBMJCECCA: javax.crypto.AEADBadTagException: CSNBSYD returned (8,2028). Decryption failed because the AuthenticationTag does not match the data provided.(1) at com.ibm.crypto.hdwrCCA.provider.AESCipher.engineDoFinal(AESCiphe r.java:297) <common component> IBMJCEHYBRID: (both IBMJCE and IBMJCECCA stacktraces because it tries both) IBMPKCS11: com.ibm.pkcs11.PKCS11Exception: Operation failed, this is caused by either an invalid IV, tLen or AAD. at com.ibm.crypto.pkcs11impl.provider.PKCS11Cipher.engineDoFinalGCM (PKCS11Cipher.java:1268) at com.ibm.crypto.pkcs11impl.provider.GeneralPKCS11Cipher.engineDoF inal(GeneralPKCS11Cipher.java:1274) <common component> RACF: javax.crypto.AEADBadTagException: CSNBSYD returned (8,2028). Decryption failed because the AuthenticationTag does not match the data provided.(1) at com.ibm.crypto.hdwrCCA.provider.AESCipher.engineDoFinal(AESCiphe r.java:297) <common component> where <common component> is at javax.crypto.CipherSpi.a(Unknown Source) at javax.crypto.CipherSpi.engineDoFinal(Unknown Source) at javax.crypto.Cipher.doFinal(Unknown Source) at com.ibm.jsse2.n$t$a.a(n$t$a.java:18) at com.ibm.jsse2.ak.e(ak.java:173) at com.ibm.jsse2.ak.b(ak.java:74) at com.ibm.jsse2.a0.a(a0.java:27) .
Local fix
Problem summary
There was an encoding issue that occurred on Java 8 for z/OS when a connection tried to be made to a webserver using the default protocol, TLSv1.3. This issue was represented as a "javax.crypto.AEADBadTagException: Tag mismatch!" exception. JSSE had the following type of code for the TLSv1.3 protocol which has been updated for z/OS... this.label="TLS 13 " + label).getBytes(). The getBytes() function was defaulting to an EBCDIC encoding (IBM-1047) because it was running on the z/OS platform; however, the TLSv1.3 protocol code expected this string label to be in ASCII format (ISO8859_1). Therefore, getBytes() had to be updated to getBytes(ISO_8859_1) in order for this issue to be resolved. The same changes were made to the z/OS Java 11 SDK.
Problem conclusion
A fix was implemented for Java 8.0 SR7 FP5 that now allows for the proper encoding to be used when running with TLSv1.3. Users should upgrade their Java version to Java 8.0 SR7 FP5 to fix this issue. Binary affected - ibmjsseprovider2.jar GIT Issue - #191 Build - 8.0 build_20211116--430 . This APAR will be fixed in the following Java Releases: 8 SR7 FP5 (8.0.7.5) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IJ36207
Reported component name
SECURITY
Reported component ID
620700125
Reported release
270
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-11-18
Closed date
2021-12-01
Last modified date
2021-12-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270"}]
Document Information
Modified date:
02 December 2021