APAR status
Closed as program error.
Error description
Error Message: keytool error (likely untranslated): java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter . Stack Trace: N/A . A DNS name that does not begin with an alphabetic character causes an IOException. For example, KeyTool -keystore keystore -gencert -alias badDNSName -infile nothingSpecial.csr -outfile output.cer -ext san=dns:142test
Local fix
Begin all DNSNames with an alphabetic character. List all DNSNames in a comma separated list instead of using the wildcard.
Problem summary
KeyTool commands which generate X509Certificate fields with a DNSName (via the -ext san=dns:"dns name" option) will not accept a DNSName value beginning with a digit or a wildcard (via the -ext san=dns:*.text.com option).
Problem conclusion
The code was modified to reflect the relaxed DNSName specifications in section 2.1 of RFC 1123. A wildcard is now accepted as the first character in a DNSName for a Subject Alternative Name extension (SAN). A fix is made to relax the DNSName value constraints for the KeyTool Subject Alternative Name Extension (SAN) The associated Hursley RTC Problem Report is 149279 The associated Austin git defects are: PKCS#158 IBMJCE#207 The associated Austin APAR is IJ46769 JVM affected: Java 8 The fix was delivered for Java 8 SR8 FP10 The affected jars are "ibmpkcs.jar" and "ibmjceprovider.jar" The build level of this jar for the affected release ibmpkcs.jar Build-Level: 20230516-15 ibmjceprovider.jar build_20230517-14 . This APAR will be fixed in the following Releases: . IBM SDK, Java Technology Edition 8 SR8 FP10 (8.0.8.10) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available maintenance can be found at: https://www.ibm.com/support/pages/java-sdk
Temporary fix
Comments
APAR Information
APAR number
IJ46959
Reported component name
SECURITY
Reported component ID
620700125
Reported release
270
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-05-24
Closed date
2023-05-24
Last modified date
2023-05-24
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
25 May 2023