APAR status
Closed as program error.
Error description
Error Message: N/A . Stack Trace: A java.lang.IllegalStateException with the message "(4) This method is not supported in GCM mode" is thrown when JSSE is making use of IBMJCECCA with GCM mode ciphers configured. java.security.ProviderException: Could not determine buffer size at javax.crypto.CipherSpi.a(Unknown Source) at javax.crypto.CipherSpi.engineDoFinal(Unknown Source) at javax.crypto.Cipher.doFinal(Unknown Source) at com.ibm.jsse2.m.b(m.java:136) at com.ibm.jsse2.b.a(b.java:20) at com.ibm.jsse2.ap.b(ap.java:188) at com.ibm.jsse2.ap.a(ap.java:532) at com.ibm.jsse2.ap.unwrap(ap.java:572) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:20) at com.ibm.ws.ssl.channel.impl.SSLReadServiceContext.decryptMessage (SSLReadServiceContext.java:1223) at com.ibm.ws.ssl.channel.impl.SSLReadServiceContext.read(SSLReadSe rviceContext.java:303) at com.ibm.ws.http.channel.outbound.impl.HttpOutboundServiceContext Impl.parseResponseMessageSync(HttpOutboundServiceContextImpl.jav a:1769) at com.ibm.ws.http.channel.outbound.impl.HttpOutboundServiceContext Impl.readSyncResponse(HttpOutboundServiceContextImpl.java:760) at com.ibm.ws.http.channel.outbound.impl.HttpOutboundServiceContext Impl.startResponseReadSync(HttpOutboundServiceContextImpl.java:1 892) at com.ibm.ws.http.channel.outbound.impl.HttpOutboundServiceContext Impl.finishRequestMessage(HttpOutboundServiceContextImpl.java:12 76) at com.ibm.ws.websvcs.transport.http.out.HttpOutSyncWriter.finishBu fferRequest(HttpOutSyncWriter.java:117) at com.ibm.ws.websvcs.transport.http.out.HttpOutWriter.writeBuffer( HttpOutWriter.java:136) at com.ibm.ws.websvcs.transport.http.out.HttpOutByteBufferOutputStr eam.finish(HttpOutByteBufferOutputStream.java:468) ....more Caused by: java.lang.IllegalStateException: (4) This method is not supported in GCM mode. at com.ibm.crypto.hdwrCCA.provider.AESCipher.engineUpdate(AESCipher .java:632) ... 53 more .
Local fix
The IBMJCE provider may be configured instead of the IBMJCECCA provider.
Problem summary
The JCE framework incorrectly handles GCM processing with the IBMJCECCA provider. A java.lang.IllegalStateException with the message "(4) This method is not supported in GCM mode" is thrown when JSSE is making use of IBMJCECCA with GCM mode ciphers configured. java.security.ProviderException: Could not determine buffer size at javax.crypto.CipherSpi.a(Unknown Source) at javax.crypto.CipherSpi.engineDoFinal(Unknown Source) at javax.crypto.Cipher.doFinal(Unknown Source) at com.ibm.jsse2.m.b(m.java:136) at com.ibm.jsse2.b.a(b.java:20) at com.ibm.jsse2.ap.b(ap.java:188) at com.ibm.jsse2.ap.a(ap.java:532) at com.ibm.jsse2.ap.unwrap(ap.java:572) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:20) at com.ibm.ws.ssl.channel.impl.SSLReadServiceContext.decryptMessage (SSLReadServiceContext.java:1223) at com.ibm.ws.ssl.channel.impl.SSLReadServiceContext.read(SSLReadSe rviceContext.java:303) at com.ibm.ws.http.channel.outbound.impl.HttpOutboundServiceContext Impl.parseResponseMessageSync(HttpOutboundServiceContextImpl.jav a:1769) at com.ibm.ws.http.channel.outbound.impl.HttpOutboundServiceContext Impl.readSyncResponse(HttpOutboundServiceContextImpl.java:760) at com.ibm.ws.http.channel.outbound.impl.HttpOutboundServiceContext Impl.startResponseReadSync(HttpOutboundServiceContextImpl.java:1 892) at com.ibm.ws.http.channel.outbound.impl.HttpOutboundServiceContext Impl.finishRequestMessage(HttpOutboundServiceContextImpl.java:12 76) at com.ibm.ws.websvcs.transport.http.out.HttpOutSyncWriter.finishBu fferRequest(HttpOutSyncWriter.java:117) at com.ibm.ws.websvcs.transport.http.out.HttpOutWriter.writeBuffer( HttpOutWriter.java:136) at com.ibm.ws.websvcs.transport.http.out.HttpOutByteBufferOutputStr eam.finish(HttpOutByteBufferOutputStream.java:468) ....more Caused by: java.lang.IllegalStateException: (4) This method is not supported in GCM mode. at com.ibm.crypto.hdwrCCA.provider.AESCipher.engineUpdate(AESCipher .java:632) ... 53 more
Problem conclusion
The JCE framework has been updated to handle exceptions that may be thrown by the IBMJCECCA provider such that the doUpdate() method, which is not supported by the IBMJCECCA provider, is not called by the JCE framework. . This APAR will be fixed in the following Java Releases: 8 SR4 FP5 (8.0.4.5) 7 R1 SR4 FP5 (7.1.4.5) 7 SR10 FP5 (7.0.10.5) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IV94941
Reported component name
SECURITY
Reported component ID
620700125
Reported release
270
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-04-07
Closed date
2017-04-07
Last modified date
2017-04-07
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
R270 PSY
UP
R260 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020