APAR status
Closed as program error.
Error description
Error Message: Pb 1. Since IKeyman allows creation of duplicate certificate request, there exists some inconsistency in signature algorithm value when user types in invalid output file path the first time during creation of a new certificate request. Pb 2. IKeyman sends no warning message when user attempts to validate or receive a personal certificate with root or intermediate certificate missing in certificate chain. Pb 3. When certificate request is created with no extension parameters (attribute length = 0), the extension parameters (basic constraints, ku, eku) provided in sign command is not added to the signed certificate . Stack Trace: N/A .
Local fix
For duplicate certificate request (Pb 1), the workaround for the user is to delete all the certificate request with same label and recreate from scratch. Also avoid creating 2 certificate request with same label. For problem 3, the workaround is to create certificate request with at least one extension parameter(s) ku or eku.
Problem summary
Pb 1. IKeyman allows creation of duplicate certificate request, that causes difference in Signature algorithm value for different certificate request with same label. Pb 2. Though IKeyman identifies the certificate is invalid with a yellow background, it fails to send a warning message to the user. Pb 3. When a certificate request is created with empty attributes (no extension parameters), IKeyman does not add the extension parameter "basic constraints" during signing of this certificate request with 'ca true' option. This restricts IKeyman from building certificate chain above one level.
Problem conclusion
Pb 1. IKeyman should check for duplicate label before creation of certification request. Also, if the user types in a wrong output file, iKeyman should not create any certificate request. Pb 2. iKeyman returns a warning message - Warning: Validation failed: Missing intermediate or root certificate, when user attempts to validate/receive certificate with no root certificate. Pb 3. IKeyman should add all the extension parameters provided in the sign command to the certificate. . This APAR will be fixed in the following Java Releases: 7 SR9 FP40 (7.0.9.40) 8 SR3 (8.0.3.0) 6 SR16 FP25 (6.0.16.25) 6 R1 SR8 FP25 (6.1.8.25) 7 R1 SR3 FP40 (7.1.3.40) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IV80403
Reported component name
SECURITY
Reported component ID
620700125
Reported release
260
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-01-15
Closed date
2016-01-15
Last modified date
2016-01-15
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
R260 PSY
UP
R270 PSY
UP
R600 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"260","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020