APAR status
Closed as program error.
Error description
Error Message: The following errors are thrown when attempting to use RSA Hardware keys over TLSv1.3 with the IBMJCECCA provider: javax.net.ssl.SSLException: No supported CertificateVerify signature algorithm for RSA key java.security.InvalidKeyException: No installed provider supports this key: com.ibm .crypto.hdwrCCA.provider.RSAPrivateHWKey java.security.spec.InvalidParameterSpecException: Inappropriate parameter specification . Stack Trace: .
Local fix
Users need to create an RSA-PSS key with an RSAPSS signature algorithmm. Users can use hwkeytool to generate RSAPSS keys and store them into the keystore. Another option is to translate RSA keys into the RSA-PSS based keys: https://ibm.biz/BdPpK9 If the customer need to do this a Sys Admin can follow these instructions.
Problem summary
This issue is encountered in Java 8 for users switching to use TLSv1.3 and in Java 11 where TLS will now default to TLSv1.3. RSA hardware keys previously used with the IBMJCECCA provider for key exchange over TLSv1.2 are no longer supported in TLSv1.3 and cannot be used.
Problem conclusion
RSA was removed from TLS1.3 as a Key Exchange/Handshake but not for key signing. The only signature algorithm that supports RSA hardware keys in TLSv1.3 is RSA-PSS. RSA keys with a PKCS #1 v1.5 signature or with an RSASSA-PSS signature are supported. Required updates to enable TLS V1.3 protocol support: https://ibm.biz/BdfuJA . This APAR will be fixed in the following Releases: . IBM Semeru Runtime Certified Edition 11 11.0.19.0 IBM SDK, Java Technology Edition 8 SR8 FP5 (8.0.8.5) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available maintenance can be found at: https://www.ibm.com/support/pages/java-sdk
Temporary fix
The temporary fix suggested until the release is for the customer to hard code TLSv1.2.
Comments
APAR Information
APAR number
PH52876
Reported component name
JAVA Z/OS 64
Reported component ID
620700104
Reported release
B00
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-02-27
Closed date
2023-03-17
Last modified date
2023-03-23
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
JAVA Z/OS 64
Fixed component ID
620700104
Applicable component levels
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"B00"}]
Document Information
Modified date:
23 March 2023