Download
Downloadable File
File link | File size | File description |
---|---|---|
Abstract
IllegalArgumentException when enabling SP800-131/FIPS140-2 with TLSv1.3 post Java upgarde to SR8FP5 and later.
Download Description
![](/support/pages/system/files/support/swg/swgdnld.nsf/0/e2a015e4a866ba248525811c006a745f/Content/0.84.gif)
The interim fix for this APAR has been superseded by a later interim fix. Download and install the interim fix for PH61385 to resolve this APAR.
If this APAR applied to older fix packs that the superseding APAR does not, the download link for those older fixes will be preserved below.
PH59304 resolves the following problem:
ERROR DESCRIPTION:
1/15/24 12:03:38:817 PST] 00000001 JSSEHelper < The
following exception occurred in getSSLContext(). Exit
java.lang.IllegalArgumentException: Only TLS1.0/TLS1.1/TLS1.2
protocol can be enabled when SP800_131 transition mode or
IBMJSSE2 enabled to run in FIPS mode
at com.ibm.jsse2.bf$l.(bf$l.java:7)
at java.lang.Class.forNameImpl(Native Method)
at java.lang.Class.forName(Class.java:340)
at
java.security.Provider$Service.getImplClass(Provider.java:1645)
at
java.security.Provider$Service.newInstance(Provider.java:1603)
at
sun.security.jca.GetInstance.getInstance(GetInstance.java:248)
at
sun.security.jca.GetInstance.getInstance(GetInstance.java:176)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:13)
at
com.ibm.ws.ssl.config.SSLConfigManager.addTLS13(SSLConfigManager
.java:3742)
at
com.ibm.ws.ssl.config.SSLConfigManager.checkSSLProtocolInList(SS
LConfigManager.java:3767)
at
com.ibm.ws.ssl.config.SSLConfigManager.parseSecureSocketLayer1(S
SLConfigManager.java:1470)
at
com.ibm.ws.ssl.config.SSLConfigManager.parseSSLConfig(SSLConfigM
anager.java:743)
at
com.ibm.ws.ssl.config.SSLConfigManager.initializeServerSSL(SSLCo
nfigManager.java:287)
LOCAL FIX:
Changing the SSL protocol to TLSv1.2 only, between Node creation
and startup, works around the problem.
PROBLEM SUMMARY
USERS AFFECTED:
All users of IBM WebSphere Application
Server
PROBLEM DESCRIPTION:
IllegalArgumentException
and node agent startup failure
when enabling SP800-132/FIPS140-2
with TLSv1.3.
RECOMMENDATION:
None
Encountered a IllegalArgumentException when enabling SP800-131
(both strict and transition modes) or FIPS 140-2 with TLSv1.3
protocol. This happened after a JDK8 upgrade to SR8FP5 (and
later) and it resluted in node agent startup failure as well.
PROBLEM CONCLUSION:
To prevent IllegalArgumentException and node agent startup
failure caused by using TLSv1.3 protocol with SP800-131 & FIPS
140-2, fixed the code to use only TLSv1.2 if SP800-131 or FIPS
140-2 is enabled.
The fix for this APAR is targeted for inclusion in fix packs
9.0.5.20 and 8.5.5.26. For more information, see Recommended
Updates for WebSphere Application Server:
https://www.ibm.com/support/pages/node/715553
The fix for this APAR is targeted for inclusion in 8.5.5.26, 9.0.5.20.
For more information, see Recommended Updates for WebSphere Application Server:
https://www.ibm.com/support/pages/node/715553
ERROR DESCRIPTION:
1/15/24 12:03:38:817 PST] 00000001 JSSEHelper < The
following exception occurred in getSSLContext(). Exit
java.lang.IllegalArgumentException: Only TLS1.0/TLS1.1/TLS1.2
protocol can be enabled when SP800_131 transition mode or
IBMJSSE2 enabled to run in FIPS mode
at com.ibm.jsse2.bf$l.
at java.lang.Class.forNameImpl(Native Method)
at java.lang.Class.forName(Class.java:340)
at
java.security.Provider$Service.getImplClass(Provider.java:1645)
at
java.security.Provider$Service.newInstance(Provider.java:1603)
at
sun.security.jca.GetInstance.getInstance(GetInstance.java:248)
at
sun.security.jca.GetInstance.getInstance(GetInstance.java:176)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:13)
at
com.ibm.ws.ssl.config.SSLConfigManager.addTLS13(SSLConfigManager
.java:3742)
at
com.ibm.ws.ssl.config.SSLConfigManager.checkSSLProtocolInList(SS
LConfigManager.java:3767)
at
com.ibm.ws.ssl.config.SSLConfigManager.parseSecureSocketLayer1(S
SLConfigManager.java:1470)
at
com.ibm.ws.ssl.config.SSLConfigManager.parseSSLConfig(SSLConfigM
anager.java:743)
at
com.ibm.ws.ssl.config.SSLConfigManager.initializeServerSSL(SSLCo
nfigManager.java:287)
LOCAL FIX:
Changing the SSL protocol to TLSv1.2 only, between Node creation
and startup, works around the problem.
PROBLEM SUMMARY
USERS AFFECTED:
All users of IBM WebSphere Application
Server
PROBLEM DESCRIPTION:
IllegalArgumentException
and node agent startup failure
when enabling SP800-132/FIPS140-2
with TLSv1.3.
RECOMMENDATION:
None
Encountered a IllegalArgumentException when enabling SP800-131
(both strict and transition modes) or FIPS 140-2 with TLSv1.3
protocol. This happened after a JDK8 upgrade to SR8FP5 (and
later) and it resluted in node agent startup failure as well.
PROBLEM CONCLUSION:
To prevent IllegalArgumentException and node agent startup
failure caused by using TLSv1.3 protocol with SP800-131 & FIPS
140-2, fixed the code to use only TLSv1.2 if SP800-131 or FIPS
140-2 is enabled.
The fix for this APAR is targeted for inclusion in fix packs
9.0.5.20 and 8.5.5.26. For more information, see Recommended
Updates for WebSphere Application Server:
https://www.ibm.com/support/pages/node/715553
The fix for this APAR is targeted for inclusion in 8.5.5.26, 9.0.5.20.
For more information, see Recommended Updates for WebSphere Application Server:
https://www.ibm.com/support/pages/node/715553
Prerequisites
None
Download Package
![](/support/pages/system/files/support/swg/swgdnld.nsf/0/e2a015e4a866ba248525811c006a745f/Content/0.84.gif)
The interim fix for this APAR has been superseded by a later interim fix. Download and install the interim fix for PH61385 to resolve this APAR.
If this APAR applied to older fix packs that the superseding APAR does not, the download link for those older fixes will be preserved below.
Problems Solved
PH59304
Change History
May 21: Updated supersede with PH61385
On
Technical Support
Contact IBM Support at https://www.ibm.com/mysupport/ or 1-800-IBM-SERV (US only).
Document Location
Worldwide
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5.23;8.5.5.24;8.5.5.25;9.0.5.15;9.0.5.16;9.0.5.17;9.0.5.18;9.0.5.19","Edition":"Base","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
21 May 2024
UID
ibm17144866