APAR status
Closed as program error.
Error description
Error Message: Pb 1. For keystore (say QMP3C_DOE.kdb), ikeyman reports that wmqca is trusted whereas gsk8capicmd says it is not trusted.Pb 2. Review new CA certificates : Some new Entrust CA's are not in IKeymanPb 3. gsk8capicmd allows all three CA's to be added to a keystore, but Ikeyman (8.0.373) replaces the first G5 cert with the subsequent G5 cert. . Stack Trace: N/A .
Local fix
Problem summary
Pb 1. QMP3C_DOE.kdb (working) has no deleted records andQMP4C_DOE.kdb (not working) has a deleted wmqca record and a new one with trusted=false. We discovered that the CMS provider does not ignore keystore records that have the "DELETED" flag set. The QMP4C_DOE.kdb has the deleted wmqca record that is trusted and the non-deleted not-trusted record and ikeyman thinks the deleted one is valid. Therefore, gsk8capicmd is correct and ikeyman (cmsprovider) is incorrectly reporting that cert attribute.Pb 2. Entrust has been using a new CA to issue certificates for customers and that these CA's are not in iKeyman.Pb 3. iKeyman is treating the cert as a duplicate as it has the same public key. This behaviour is not right and not inline with gskcapicmd.
Problem conclusion
Pb 1. The fix is in cmsprovider should not take into account the "DELETED" records.Pb 2. The following new Entrust CA's were added "Entrust.net Certification Authority (2048) 29", "Entrust Root Certification Authority - EC1", "Entrust Root Certification Authority - EV", "Entrust Root Certification Authority - G2".Pb 3. CMS Provider matches entries by comparing the public key, not the whole certificate. That makes it treat certs for the same keypair as identical which they are not. The proposal is to change the code to match the whole cert, same as gsk8capicmd. . This APAR will be fixed in the following Java Releases: 6 SR16 FP4 (6.0.16.4) 7 SR9 (7.0.9.0) 7 R1 SR3 (7.1.3.0) 6 R1 SR8 FP4 (6.1.8.4) 8 SR1 (8.0.1.0) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IV71425
Reported component name
SECURITY
Reported component ID
620700125
Reported release
600
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-03-24
Closed date
2015-03-27
Last modified date
2015-03-27
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
IV71426
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
R600 PSY
UP
R260 PSY
UP
R270 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020