APAR status
Closed as program error.
Error description
Error Message: Exception: 3008-737 A certificate attribute was not recognized. (wraps: java.io.IOException: DNSName components must begin with a letter) . Stack Trace: java.io.IOException: DNSName components must begin with a letter at com.ibm.security.x509.DNSName.<init>(DNSName.java:153) at com.ibm.security.x509.DNSName.<init>(DNSName.java:95) at com.ibm.security.x509.DNSName.<init>(DNSName.java:84) at com.ibm.security.certclient.util.PkSsCertFactory.createSubjectAl tName(Unknown Source) at com.ibm.security.certclient.util.PkSsCertFactory$PkSsCertImpl.ge nerateSsCertificate(Unknown Source) at com.ibm.security.certclient.util.PkSsCertFactory$PkSsCertImpl.ge nerateKeyPairNCert(Unknown Source) at com.ibm.security.certclient.util.PkSsCertFactory$PkSsCertImpl.<i nit>(Unknown Source) at com.ibm.security.certclient.util.PkSsCertFactory.newSsCert(Unkno wn Source) .
Local fix
Problem summary
PkSsCertFactory.newSsCert() API generate error when a certificate is created having SubjectAlternativeNames starts with asterisk or digit. Key Certificate Management fails to create a certificate containing a Subject Alternative Name (SAN) DNSName value that does not begin with a letter. A certificate attribute was not recognized when SAN DNS value begins with asterisk or digit. It occurred because of relaxation not yet provided as per RFC 1123 for Key Certificate Management.
Problem conclusion
Key Certificate Management has been updated to accept relaxed DNSName specifications as per RFC 1123. SAN DNS can begin with asterisk or digit. Binary affected - ibmkeycert.jar GIT Issues - IBMKCM #34 RTC Problem Report - 151141 Build version: build_20240510--48 JVMs affected: Java 8 SR8 FP10 - FP25 JVM to be delivered in - JDK 8 SR8 FP30 . This APAR will be fixed in the following Releases: . IBM SDK, Java Technology Edition 8 SR8 FP30 (8.0.8.30) . Downloads and supplementary documentation can be found at the following locations: - For non z/OS operating systems: - IBM Semeru Runtimes, Version 11 and later https://www.ibm.com/semeru-runtimes/downloads/ - IBM SDK, Java Technology Edition, Version 8 https://www.ibm.com/support/pages/java-sdk-downloads/ - For the z/OS operating system: - Java SDK Products on z/OS https://www.ibm.com/support/pages/java-sdk-products-zos
Temporary fix
Comments
APAR Information
APAR number
IJ51335
Reported component name
SECURITY
Reported component ID
620700125
Reported release
270
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2024-05-30
Closed date
2024-05-31
Last modified date
2024-06-11
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]
Document Information
Modified date:
11 June 2024