IBM Support

IJ38324: KEY CERTIFICATE MANAGEMENT (KCM) GENERATES CERTS WITH INCORRECT AKI EXTENSION VALUE WHEN THE SIGNING CERT WAS NOT CREATED BY KCM

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Key Certificate Management (KCM) produces certificates with
incorrect Authority Key Identifier (AKI) extension values when
the signing certificate was not generated by KCM.

Error Message, as reported by customer:
Complete certificate chain is not presented.

The AKI/SKI Java is generating for the chained certificate are
not matching.
The chained certificate is not recognized by Java as a chain
because AKI/SKI does not match.

Stack Trace, if applicable:
N/A

Other Error Information, as reported by customer:
N/A

Local fix

  • Workaround:
Use the same tool to create all certificates; i.e KeyTool,
iKeyman or KCM.

Problem summary

  • Key Certificate Manager Authority Key Identifier value
incorrect.

PROBLEM DESCRIPTION:

Authority Key Identifier and Subject Key Identifier mismatch in
certificate chain causes validation failure.The key identifier
value generated by Key Certificate Management is different than
that generated by Keytool or iKeyman.The certificate chain will
not validate when the Subject Key Identifier (SKI) of the signer
certificate does not match the Authority Key Identifier (AKI) of
the signed certificate.

Certificate chains containing certificates generated by iKeyman,
Keytool and Key Certificate Management fail to validate due to
AKI/SKI mismatch.

Error message :The extended error message from the SSL handshake
exception is: PKIX path validation failed:
java.security.cert.CertPathValidatorException: Path does not
chain with any of the trust anchors.

Problem conclusion

  • Key Certificate Management was modified to copy the SKI value of
 the signing certificate to the AKI value of the signed
certificate.

The associated Hursley RTC Problem Report is 147372

The associated Austin GIT defect is IBMKCM#18

The associated Austin APAR is IJ38324

JVMs affected: Java 8.0

The fix was delivered for Java 8 sr7 fp10

The affected jar is "ibmkeycert.jar".

The build level of this jar for the affected releases is Java 8
build_20220408--77

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IJ38324
    • 

  • Reported component name
    TIV SEC COMPONE
    • 

  • Reported component ID
    TIVOSEC00
    • 

  • Reported release
    600
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2022-03-09
    • 

  • Closed date
    2022-04-14
    • 

  • Last modified date
    2022-04-28
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    TIV SEC COMPONE
    • 

  • Fixed component ID
    TIVOSEC00
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSWKFH","label":"Tivoli Components - Java Security"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"600"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            29 April 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback