PH50228: IBMJCECCA ENCOUNTERS JAVA.LANG.ILLEGALSTATEEXCEPTION: THIS METHOD IS NOT SUPPORTED IN GCM MODE.

APAR status

• Closed as program error.

Error description

• Error Message: java.lang.IllegalStateException: This method is
  not supported in GCM mode.
  .
  Stack Trace:
  .
  

Local fix

• Below are a series of workarounds that can be used to resolve
  the exception.
  
  1. Add IBMJCEHYBRID to the #1 position in the provider order
  If IBMJCEHYBRID is added to the top of the provider list
  followed by IBMJCECCA and then OpenJCEPlus, IBMJCEHYBRID will
  attempt to use IBMJCECCA first for all cryptographic operations.
  If IBMJCECCA encounters an exception during the operation, such
  as the "This method is not supported in GCM mode" exception,
  IBMJCEHYBRID will then recruit OpenJCEPlus to complete the
  AES/GCM cipher so that the Java application does not break and
  the IllegalStateException is no longer encountered.
  
  A sample provider order would look like this:
  #
  # List of providers and their preference order:
  #
  security.provider.1=IBMJCEHYBRID
  security.provider.2=IBMJCECCA
  security.provider.3=OpenJCEPlus
  .
  .  <lines omitted>
  .
  
  2. Use the OpenJCEPlus provider instead of IBMJCECCA
  The OpenJCEPlus provider uses native interfaces to IBM Z
  hardware, offering hardware-accelerated cryptographic algorithms
  where supported.
  
  OpenJCEPlus supports the update() method for AES/GCM ciphers. If
  possible, use the OpenJCEPlus provider when performing the
  update() method for AES/GCM ciphers.
  
  3. Disable AES/GCM mode
  It is possible to disable AES/GCM ciphers as a workaround.
  
  In the java.security file, there is a property called
  "jdk.tls.disabledAlgorithms" that lists algorithms that should
  be treated as disabled and not used. You can add "GCM" to this
  list of disabled algorithms and Java will no longer attempt to
  use AES/GCM ciphers for the time being.
  
  Here is an example of what your java.security file's
  jdk.tls.disabledAlgorithms property might look like after you
  make the change...
  
  jdk.tls.disabledAlgorithms=GCM, SSLv3, TLSv1, TLSv1.1, RC4, DES,
  MD5withRSA, \
      DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon,
  NULL, \
      include jdk.disabled.namedCurves
  

Problem summary

• The IBMJCECCA provider in IBM Semeru Runtime Certified Edition
  for z/OS, Version 11 throws a "java.lang.IllegalStateException:
  This method is not supported in GCM mode" exception when
  attempting to run the update() method for a Cipher object
  configured to use AES/GCM
  

Problem conclusion

• IBMJCEHYBRID has been updated so that the application can keep
  AES/GCM enabled and not encounter the exception if the following
  provider list is used:
  security.provider.1=IBMJCEHYBRID
  security.provider.2=IBMJCECCA
  security.provider.3=OpenJCEPlus
  .
  . <remainder of the provider list has been omitted>
  .
  The application will first attempt to use IBMJCECCA for the
  AES/GCM operation. If IBMJCECCA is requested to perform the
  Cipher.update() function for AES/GCM, IBMJCEHYBRID will be
  notified that IBMJCECCA can't perform the update() operation and
  IBMJCEHYBRID will have OpenJCEPlus do the operation instead -
  ultimately allowing the program to continue instead of failing.
  .
  This APAR will be fixed in the following Releases:
  .
  IBM Semeru Runtime Certified Edition
     11              11.0.18.0
  .
  Contact your IBM Product's Service Team for these Service
  Refreshes and Fix Packs.
  For those running stand-alone, information about the available
  maintenance can be found at:
             https://www.ibm.com/support/pages/java-sdk
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  JAVA Z/OS 64

• Fixed component ID

  620700104

Applicable component levels