APAR status
Closed as program error.
Error description
Error Message: javax.net.ssl.SSLKeyException: RSA premaster secret error . Stack Trace: javax.net.ssl.SSLKeyException: RSA premaster secret errorat com.ibm.jsse2.z.<init>(z.java:102)at com.ibm.jsse2.bb.a(bb.java:292)at com.ibm.jsse2.bb.a(bb.java:273)at com.ibm.jsse2.ab.r(ab.java:554)at com.ibm.jsse2.ab.a(ab.java:325)at com.ibm.jsse2.qc.a(qc.java:617)at com.ibm.jsse2.qc.h(qc.java:103)at com.ibm.jsse2.qc.a(qc.java:166)at com.ibm.jsse2.qc.startHandshake(qc.java:649)atcom.ibm.net.ssl.ww w2.protocol.https.c.afterConnect(c.java:62)atcom.ibm.net.ssl.www 2.protocol.https.d.connect(d.java:22)atcom.ibm.net.ssl.www2.prot ocol.https.b.connect(b.java:37)at ConnectionTest.doHandshake(ConnectionTest.java:30)at RunMe.main(RunMe.java:112)Caused by: java.lang.IndexOutOfBoundsExceptionat java.nio.ByteBuffer.wrap(ByteBuffer.java:371)at com.ibm.crypto.fips.provider.HASHDRBG.b(UnknownSource)atcom.ibm. crypto.fips.provider.HASHDRBG.engineSetSeed(UnknownSource)atjava .security.SecureRandom.setSeed(SecureRandom.java:418)at com.ibm.crypto.fips.provider.RSA.a(Unknown Source)at com.ibm.crypto.fips.provider.RSA.b(Unknown Source)atcom.ibm.crypto.fips.provider.RSA.engineDoFinal(Unknown Source)at com.ibm.crypto.fips.provider.RSA.b(Unknown Source)at com.ibm.crypto.fips.provider.RSA.engineWrap(UnknownSource)atcom. ibm.crypto.fips.provider.RSASSL.engineWrap(Unknown Source)at javax.crypto.Cipher.wrap(Unknown Source)at com.ibm.jsse2.z.<init>(z.java:57)... 13 more . The problem happens when testing TLSv1.2 connections with com.ibm.jsse2.usefipsprovider=true and HASHDRBG random number generator was used. This RNG was used to get NIST compliant.
Local fix
N/A
Problem summary
The current IBMJCEFIPS, Version 1.7, has two random number generators: IBMSecureRandom and HASHDRBG and its variants(SHA2DRBG, SHA5DRBG). By the end of 2015, due to changes in NIST rules, the use of IBMSecureRandom will result in non-compliance with FIPS140-2 random number rules. In the current certified jar, HASHDRBG is not being re-seeded properly by the RSA algorithm and IBMSecureRandom goes out of NIST compliance at the end of 2015. FIPS 140-2 certified fix to the re-seeding of HASHDRBG will fix those calling applications using HASHDRBG. Calling applications using IBMSecureRandom will have to pick up the updated jars and also make a small code change to call HASHDRBG.
Problem conclusion
A fix is made to IBMJCEFIPS and IBMJSSE2 provider. When in FIPS 140-2 compliance mode, IBMJSSE2 was changed to use SHA2DRBG as default secure random generator. The associated Hursley RTC Problem Report is 91195 The associated Austin CMVC defects are 116495, 116497, 116585 and 116617 JVMs affected: Java 6.0, Java 626, Java 7.0, Java 727 and Java 8 The fix was delivered for Java 6 SR16FP5, Java 626 SR8FP5, Java 7 SR9FP10, Java 727 SR3FP10 and Java 8 SR1FP10. The level for fixed ibmjcefips.jar is 20150505 (version 1.71). The level for fixed ibmjsseprovider2.jar is 20150506. . This APAR will be fixed in the following Java Releases: 7 SR9 FP 10 (7.0.9.10) 6 R1 SR8 FP7 (6.1.8.7) 7 R1 SR3 FP10 (7.1.3.10) 8 SR1 FP10 (8.0.1.10) 6 SR16 FP7 (6.0.16.7) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IV73189
Reported component name
SECURITY
Reported component ID
620700125
Reported release
260
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-05-12
Closed date
2015-05-19
Last modified date
2015-06-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
R260 PSY
UP
R270 PSY
UP
R600 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"260","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
29 June 2015