APAR status
Closed as program error.
Error description
Customer getting an error when trying to integrate with Luna HSM which is causing TLS/SSL connections to fail for SSP HTTP adapter. SSP startup says it reads HSM keystore correctly: 2020-10-16 11:18:18,197 [main] INFO c.s.s.p.SecurityProperties - SecurityProperties getSecureRandom() - fips: false, PRNG Alg: PKCS11DeviceRNG, PRNG provider: IBMPKCS11Impl 2020-10-16 11:18:18,197 [main] ERROR c.s.s.p.SecurityProperties - SecureRandom not available: no such provider: IBMPKCS11Impl 2020-10-16 11:18:22,420 [main] INFO c.s.h.t.SspIbmPkcs11ImplUtil - IBMPKCS11 has been successfully initialized 2020-10-16 11:18:22,436 [main] DEBUG c.s.h.t.SspIbmPkcs11ImplUtil - HSM Keystore reloading time is set to : 15 minutes 2020-10-16 11:18:22,436 [Thread-2] DEBUG c.s.h.t.SspIbmPkcs11ImplUtil - Enter SspIbmPkcs11ImplUtil.loadKeyStore method ... 2020-10-16 11:18:22,436 [Thread-2] INFO c.s.h.t.SspIbmPkcs11ImplUtil - Loading HSM keystore ... 2020-10-16 11:18:23,467 [Thread-2] INFO c.s.h.t.SspIbmPkcs11ImplUtil - SspIbmPkcs11ImplUtil.loadKeyStore -> HSM KeyStore loaded successfully. 2020-10-16 11:18:23,467 [Thread-2] INFO c.s.h.t.SspIbmPkcs11ImplUtil - Exit SspIbmPkcs11ImplUtil.loadKeyStore method ... 2020-10-16 11:18:24,561 [SCISeedGenerator] INFO c.s.s.p.SecurityProperties - SecurityProperties getSecureRandom() - fips: false, PRNG Alg: PKCS11DeviceRNG, PRNG provider: IBMPKCS11Impl 2020-10-16 11:18:24,767 [Accept:Secure] INFO c.s.c.a.c.i.AccepterImpl - Getting serverSocket for listening on port 63366 2020-10-16 11:18:24,781 [main] INFO c.s.c.a.c.i.AccepterImpl - Accepter on port 63366 Started. When configuring SSP HTTP adapter to use TLS/SSL they get this error regardless if they use HSM keycert or local SSP keycert: SSP0222E Control:ClientAgent - Error trying to secure connection (turnOnSSL) - com.sterlingcommerce.perimeter.ssl.TLSInitException, com.ibm.pkcs11.PKCS11Exception: Vendor defined error (0x80000075)
Local fix
Problem summary
SSP was seeding the SecureRandom function when the safeNet/LUNA Hardware Security Module (HSM) was enabled, which the HSM rejected. This caused an exception that prevented the TLS Handshake from completing.
Problem conclusion
Now turn off seeding SecureRandom when IBMPKCS11 is the provider for generating pseudo random numbers.
Temporary fix
SSP6011 iFix 02 Plus Build 217
Comments
APAR Information
APAR number
IT34993
Reported component name
STR SECURE PROX
Reported component ID
5725D0300
Reported release
601
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-11-20
Closed date
2021-03-16
Last modified date
2021-03-16
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
STR SECURE PROX
Fixed component ID
5725D0300
Applicable component levels
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SS6PNW","label":"Sterling Secure Proxy"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"601","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]
Document Information
Modified date:
22 May 2025