Download
Downloadable File
File link | File size | File description |
---|---|---|
Abstract
Chained certificate creation fails with "Signer SKI format must match signed AKI format" error
Download Description
PH42162 resolves the following problem:
ERROR DESCRIPTION:
ERROR DESCRIPTION:
WebSphere fails to create a chained certificate.
The issue happens after Java 8.0.6.35 is applied and if WebSphere is using a root certificate that has standard length SKI. The following error message is printed in the log.
The issue happens after Java 8.0.6.35 is applied and if WebSphere is using a root certificate that has standard length SKI. The following error message is printed in the log.
[11/5/21 9:20:10:033 CET] 0000017a CreateCMSKeyS 3 Exception creating CMS keystore.
com.ibm.security.certclient.base.PkRejectionException: 3008-737
A certificate attribute was not recognised. (wraps:com.ibm.security.certclient.base.PkRejectionException: Signer SKI format must match signed AKI format):
com.ibm.security.certclient.base.PkRejectionException: Signer SKI format must match signed AKI format
at com.ibm.security.certclient.util.PkNewCertFactory.computeAuthorityKID(UnknownSource)
at com.ibm.security.certclient.util.PkNewCertFactory.access$000(UnknownSource)
at com.ibm.security.certclient.util.PkNewCertFactory$PkNewCertImpl.generatenewCertificate(UnknownSource)
at com.ibm.security.certclient.util.PkNewCertFactory$PkNewCertImpl. (UnknownSource)
at com.ibm.security.certclient.util.PkNewCertFactory.newCert(UnknownSource)
com.ibm.security.certclient.base.PkRejectionException: 3008-737
A certificate attribute was not recognised. (wraps:com.ibm.security.certclient.base.PkRejectionException: Signer SKI format must match signed AKI format):
com.ibm.security.certclient.base.PkRejectionException: Signer SKI format must match signed AKI format
at com.ibm.security.certclient.util.PkNewCertFactory.computeAuthorityKID(UnknownSource)
at com.ibm.security.certclient.util.PkNewCertFactory.access$000(UnknownSource)
at com.ibm.security.certclient.util.PkNewCertFactory$PkNewCertImpl.generatenewCertificate(UnknownSource)
at com.ibm.security.certclient.util.PkNewCertFactory$PkNewCertImpl. (UnknownSource)
at com.ibm.security.certclient.util.PkNewCertFactory.newCert(UnknownSource)
Servers that use WebSphere default root certificate are not affected by this issue. Servers that have a root certificate from a 3rd party certificate (CA certificate or created by iKeyman, keytool, openssl etc) might be affected.
PROBLEM SUMMARY:
USERS AFFECTED:
All users of IBM WebSphere Application Server who replaced the server root certificate that contains a standard SKI.
USERS AFFECTED:
All users of IBM WebSphere Application Server who replaced the server root certificate that contains a standard SKI.
The root certificate's SubjectKeyIdentifier can be checked by keytool list command.
The following output shows longer SKI.
#1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 21 f5 0a 11 ec 2c 29 b2 98 5d fe ba b5 cd 9a f6 ................ 0010: 3c 87 27 7b .... ] ]
The following output shows shorter SKI.
#1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 42 1a 4d 93 55 fd 10 7d ] ]
- 8 SR6 FP35 (8.0.6.35)
7 SR10 FP90 (7.0.10.90) 7 R1 SR4 FP90 (7.1.4.90)
The fix for this APAR is targeted for inclusion in fix packs 8.5.5.22 and 9.0.5.13.
Prerequisites
![](https://www.ibm.com/support/pages/system/files/support/swg/swgdnld.nsf/0/fc3e1e0579d04dbe85258265006ff266/Content/0.49DA.gif)
Although the fix for APAR PH42162 functionally requires the Java fix for APAR 8.0.7.6+IJ39703+IJ39631, the Installation Manager will not prevent the installation of PH42162 if 8.0.7.6+IJ39703+IJ39631 is not present.
Installation Instructions
Review the readme.txt for detailed installation instructions.
URL | SIZE (Bytes) |
---|---|
V85 readme file | 7408 |
Download Package
Important note: WebSphere Application Server and Liberty fix access requires S&S Entitlement in 2021. Use properly registered IDs to download the fixes in this table.
DOWNLOAD | RELEASE DATE | SIZE (BYTES) | URL |
---|---|---|---|
8.5.5.20-WS-WAS-IFPH42162 | 17 May 2022 | 346898 | FC |
8.5.5.21-WS-WAS-IFPH42162 | 17 May 2022 | 346853 | FC |
Note: FC stands for Fix Central. Review the What is Fix Central (FC)? FAQs for more details.
Problems Solved
PH42162
On
Technical Support
Contact IBM Support at https://www.ibm.com/software/mysupport/s/ or 1-800-IBM-SERV (US only).
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF035","label":"z\/OS"},{"code":"PF002","label":"AIX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.5.5.20;8.5.5.21","Edition":"Base","Line of Business":{"code":"LOB45","label":"Automation"}}]
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
17 May 2022
UID
ibm16587124