IBM Support

PH55605: ECDSA SIGNATURE SUPPORT FOR IBMJCEHYBRID

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: The following errors are thrown when attempting
to use an ECDSA key with IBMJCEHybrid as the first provider in
the java.security file:
<OSB>ERROR<CSB> CWPKI0033E: The keystore located at
safkeyringhybrid://IZUSVR/IZURING did not load because of the
following error: Errors encountered loading keyring. Keyring
could not be loaded as a JCECCARACFKS or JCERACFKS keystore.
java.io.IOException: Errors encountered loading keyring. Keyring
could not be loaded as a JCECCARACFKS or JCERACFKS keystore.
Exception#0 java.security.InvalidParameterException: Key is not
an instance of the
com.ibm.crypto.hdwrCCA.provider.RSAPrivateHWKey class.
Exception#1 java.security.InvalidParameterException: Key is not
an instance of the RSAPrivateKey class.
.
Stack Trace:
.

Local fix

  • N/A

Problem summary

  • The error only happens with an ECDSA cert when IBMJCEHybrid is
at the top of the java.security provider list. Hybrid only
checks for RSA and not ECDSA, so it was routing to use IBMJCECCA
with RSA, due to the fact that there is no support for ECDSA
keys in Hybrid.

Problem conclusion

  • ECDSA key support is being added as a service to fix the error
happening when IBMJCEHybrid is at the top of the java.security
provider list. Support will be added for all Java versions (8,
11, 17).
.
This APAR will be fixed in the following Releases:
.
IBM Semeru Runtimes
   11              11.0.21.0
   17              17.0.9.0
IBM SDK, Java Technology Edition
   8    SR8 FP15  (8.0.8.15)
.
Contact your IBM Product's Service Team for these Service
Refreshes and Fix Packs.
For those running stand-alone, information about the available
maintenance can be found at:
           https://www.ibm.com/support/pages/java-sdk

Temporary fix

  • The temporary fix suggested is to put the IBMJCECCA provider
higher than IBMJCEHybrid in the java.security file (or IBMJCE
for Java 8).

Comments

  • 



APAR Information




    

  • APAR number
    PH55605
    • 

  • Reported component name
    JAVA Z/OS 64
    • 

  • Reported component ID
    620700104
    • 

  • Reported release
    B00
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2023-07-07
    • 

  • Closed date
    2023-10-31
    • 

  • Last modified date
    2023-10-31
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    JAVA Z/OS 64
    • 

  • Fixed component ID
    620700104
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"B00","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            01 November 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback