APAR status
Closed as program error.
Error description
Error Message: When a user tries to use RACF RSA keys, it may get one of the following errors, if the signing algorithm is not RSASSA-PSS: javax.net.ssl.SSLException: No supported CertificateVerify signature algorithm for RSA key java.security.InvalidKeyException: No installed provider supports this key: com.ibm .crypto.hdwrCCA.provider.RSAPrivateHWKey java.security.spec.InvalidParameterSpecException: Inappropriate parameter specification javax.net.ssl.SSLHandshakeException: The Finished message cannot be verified. . Stack Trace: javax.net.ssl.SSLHandshakeException: The Finished message cannot be verified. at java.base/sun.security.ssl.Alert.createSSLException at java.base/sun.security.ssl.Alert.createSSLException at java.base/sun.security.ssl.TransportContext.fatal at java.base/sun.security.ssl.TransportContext.fatal at java.base/sun.security.ssl.TransportContext.fatal at java.base/sun.security.ssl.Finished$FinishedMessage.<init> at java.base/sun.security.ssl.Finished$T13FinishedConsumer.onConsum eFinished at java.base/sun.security.ssl.Finished$T13FinishedConsumer.consume at java.base/sun.security.ssl.SSLHandshake.consume .
Local fix
Users need to use RACF RSA keys with RSASSA-PSS signing algorithms keys or EC keys to be used over TLSv1.3 which are supported.
Problem summary
The RACF RSA keys with RSASSA-PSS signing algorithm are supported for TLSv1.3. But users may encounter a TLS handshake error if they use a RACF keystone containing RSA keys without RSASSA-PSS signing algorithm. In this case, the users may see the following error message: No supported CertificateVerify signature algorithm for RSA key . This issue was introduced in Java 11.0.19 (PTF UI91990 / UI91991) and Java 8.0.8.5 (PTF UI92054 / UI92067), by changes for an earlier fix: APAR PH52876.
Problem conclusion
The support for RACF RSA hardware and software keys is added. So, the user can use different RSA key types with different signing algorithms. . This APAR will be fixed in the following Releases: . IBM Semeru Runtimes 11 11.0.19.1 IBM SDK, Java Technology Edition 8 SR8 FP15 (8.0.8.15) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available maintenance can be found at: https://www.ibm.com/support/pages/java-sdk
Temporary fix
Comments
APAR Information
APAR number
PH56022
Reported component name
JAVA Z/OS 64
Reported component ID
620700104
Reported release
B00
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-07-26
Closed date
2023-07-26
Last modified date
2023-09-21
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
JAVA Z/OS 64
Fixed component ID
620700104
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"B00","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
22 September 2023