Download
Downloadable File
| File link | File size | File description |
|---|---|---|
Abstract
Chained certificate creation fails with "Signer SKI format must match signed AKI format" error
Download Description
PH42162 resolves the following problem:
ERROR DESCRIPTION:
ERROR DESCRIPTION:
WebSphere fails to create a chained certificate.
The issue happens after Java 8.0.6.35 is applied and if WebSphere is using a root certificate that has standard length SKI. The following error message is printed in the log.
The issue happens after Java 8.0.6.35 is applied and if WebSphere is using a root certificate that has standard length SKI. The following error message is printed in the log.
[11/5/21 9:20:10:033 CET] 0000017a CreateCMSKeyS 3 Exception creating CMS keystore.
com.ibm.security.certclient.base.PkRejectionException: 3008-737
A certificate attribute was not recognised. (wraps:com.ibm.security.certclient.base.PkRejectionException: Signer SKI format must match signed AKI format):
com.ibm.security.certclient.base.PkRejectionException: Signer SKI format must match signed AKI format
at com.ibm.security.certclient.util.PkNewCertFactory.computeAuthorityKID(UnknownSource)
at com.ibm.security.certclient.util.PkNewCertFactory.access$000(UnknownSource)
at com.ibm.security.certclient.util.PkNewCertFactory$PkNewCertImpl.generatenewCertificate(UnknownSource)
at com.ibm.security.certclient.util.PkNewCertFactory$PkNewCertImpl. (UnknownSource)
at com.ibm.security.certclient.util.PkNewCertFactory.newCert(UnknownSource)
com.ibm.security.certclient.base.PkRejectionException: 3008-737
A certificate attribute was not recognised. (wraps:com.ibm.security.certclient.base.PkRejectionException: Signer SKI format must match signed AKI format):
com.ibm.security.certclient.base.PkRejectionException: Signer SKI format must match signed AKI format
at com.ibm.security.certclient.util.PkNewCertFactory.computeAuthorityKID(UnknownSource)
at com.ibm.security.certclient.util.PkNewCertFactory.access$000(UnknownSource)
at com.ibm.security.certclient.util.PkNewCertFactory$PkNewCertImpl.generatenewCertificate(UnknownSource)
at com.ibm.security.certclient.util.PkNewCertFactory$PkNewCertImpl. (UnknownSource)
at com.ibm.security.certclient.util.PkNewCertFactory.newCert(UnknownSource)
Servers that use WebSphere default root certificate are not affected by this issue. Servers that have a root certificate from a 3rd party certificate (CA certificate or created by iKeyman, keytool, openssl etc) might be affected.
PROBLEM SUMMARY:
USERS AFFECTED:
All users of IBM WebSphere Application Server who replaced the server root certificate that contains a standard SKI.
USERS AFFECTED:
All users of IBM WebSphere Application Server who replaced the server root certificate that contains a standard SKI.
The root certificate's SubjectKeyIdentifier can be checked by keytool list command.
The following output shows longer SKI.
#1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 21 f5 0a 11 ec 2c 29 b2 98 5d fe ba b5 cd 9a f6 ................ 0010: 3c 87 27 7b .... ] ]
The following output shows shorter SKI.
#1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 42 1a 4d 93 55 fd 10 7d ] ]
- 8 SR6 FP35 (8.0.6.35)
7 SR10 FP90 (7.0.10.90) 7 R1 SR4 FP90 (7.1.4.90)
The fix for this APAR is targeted for inclusion in fix packs 8.5.5.22 and 9.0.5.13.
Prerequisites
In order for the fix for APAR PH42162 to work properly, the fix for Java APAR 8.0.7.6+IJ39703+IJ39631 must also be installed. Although the fix for APAR PH42162 functionally requires the Java fix for APAR 8.0.7.6+IJ39703+IJ39631, the Installation Manager will not prevent the installation of PH42162 if 8.0.7.6+IJ39703+IJ39631 is not present.
Installation Instructions
Review the readme.txt for detailed installation instructions.
| URL | SIZE (Bytes) |
|---|---|
| V85 readme file | 7408 |
Download Package
Important note: WebSphere Application Server and Liberty fix access requires S&S Entitlement in 2021. Use properly registered IDs to download the fixes in this table.
| DOWNLOAD | RELEASE DATE | SIZE (BYTES) | URL |
|---|---|---|---|
| 8.5.5.20-WS-WAS-IFPH42162 | 17 May 2022 | 346898 | FC |
| 8.5.5.21-WS-WAS-IFPH42162 | 17 May 2022 | 346853 | FC |
Note: FC stands for Fix Central. Review the What is Fix Central (FC)? FAQs for more details.
Problems Solved
PH42162
On
Technical Support
Contact IBM Support at https://www.ibm.com/software/mysupport/s/ or 1-800-IBM-SERV (US only).
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF035","label":"z\/OS"},{"code":"PF002","label":"AIX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.5.5.20;8.5.5.21","Edition":"Base","Line of Business":{"code":"LOB45","label":"Automation"}}]
Problems (APARS) fixed
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
17 May 2022
UID
ibm16587124