APAR status
Closed as program error.
Error description
WebSphere fails to create a chained certificate. The following error message is printed in the log. 3008-737 A certificate attribute was not recognised. (wraps: com.ibm.security.cerrclient.base.PkRejectionException: Signer SKI format must match signed AKI format): ------Sample error -------------------------------------------- [11/5/21 9:20:10:033 CET] 0000017a CreateCMSKeyS 3 Exception creating CMS keystore. com.ibm.security.certclient.base.PkRejectionException: 3008-737 A certificate attribute was not recognised. (wraps: com.ibm.security.cer\ tclient.base.PkRejectionException: Signer SKI format must match signed AKI format): com.ibm.security.certclient.base.PkRejectionException: Signer SKI format must match signed AKI format at com.ibm.security.certclient.util.PkNewCertFactory.computeAut horityKID(UnknownSource) at com.ibm.security.certclient.util.PkNewCertFactory.access$000 (UnknownSource) at com.ibm.security.certclient.util.PkNewCertFactory$PkNewCertI mpl.generatenewCertificate(UnknownSource) at com.ibm.security.certclient.util.PkNewCertFactory$PkNewCertI mpl.<init>(UnknownSource) at com.ibm.security.certclient.util.PkNewCertFactory.newCert(Un knownSource)
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * * who replaced the server root certificate * * that contains standard SKI * **************************************************************** * PROBLEM DESCRIPTION: After Java update. while creating a * * chained certificate, * * com.ibm.security.certclient.base.PkReje * * ct * * ionException is thrown. * **************************************************************** * RECOMMENDATION: * **************************************************************** After Java update, the following error: com.ibm.security.certclient.base.PkRejectionException: Signer SKI format must match signed AKI format is thrown during a chained certificate creation. The recent Java version started to check if the chained certificate's Authority Key Identifier (AKI) format matches it's root signer's Subject Key Identifier (SKI) format. WebSphere had been specifying short SKI/AKI format when calling Java API to create certificate creation. If the root certificate has a SKI format that is not short format, Java throws the above Exception as the SKI format does not match. Servers that use WebSphere's default root certificate is not affected by this issue as it contains SKI in short format. Servers that has the root certificate from the 3rd party certificate (CA certificate or created by iKeyman, keytool, openssl etc) would be affected. --- Keytool output of SKI ------------- Root certificate key tool output The following shows longer SKI. #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 21 f5 0a 11 ec 2c 29 b2 98 5d fe ba b5 cd 9a f6 ................ 0010: 3c 87 27 7b .... ] ] The following SKI is shorter SKI from WebSphere's default root certificate #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 42 1a 4d 93 55 fd 10 7d ] ] The Java change was introduced with the following APAR https://www.ibm.com/support/pages/apar/IJ32593 included in the following Java Releases: 8 SR6 FP35 (8.0.6.35) 7 SR10 FP90 (7.0.10.90) 7 R1 SR4 FP90 (7.1.4.90)
Problem conclusion
The certificate creation code has been updated to match the SKI/AKI format. The fix for this APAR is targeted for inclusion in fix pack 8.5.5.22 and 9.0.5.13. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH42162
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-11-17
Closed date
2022-03-29
Last modified date
2022-05-13
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5"}]
Document Information
Modified date:
14 May 2022