PK23458; 5.0.2.4: Signed jar verification fails
after 05/18/2006 21:59:19 GMT
Downloadable files
Abstract
The IBM® JCE certificate will expire on May 18, 2006 at
21:59:19 GMT. After that date, users will see errors when invoking methods
in IBM's JSSE or JCE.
Download Description
PK23458 resolves the following problem:
ERROR DESCRIPTION:
The single APAR fix PQ85933 locates local_policy.jar and
US_export_policy.jarfiles under wrong path,
<WAS_ROOT>/java/jre/lib/security directory.
The correct path for the both jar files is <WAS_ROOT>
/java/jre/lib/ext directory.
Also, it replaces <WAS_ROOT>/java/jre/lib/ext/ibmpkcs.jar.
LOCAL FIX:
None.
PROBLEM SUMMARY
USERS AFFECTED:
WebSphere® Application Server version 5.0 users.
PROBLEM DESCRIPTION:
The IBM JCE certificate will expire on May 18, 2006 at 21:59:19 GMT. After
that date, users will see errors when invoking methods in IBM's JSSE or
JCE.
Symptom 1:
fd4e164 WSSecurityCom E WSEC0019E: Failed to load KeyLocator
SampleSenderEncryptionKeyLocator. The exception is
java.lang.ExceptionInInitializerError: java.lang.SecurityException: Cannot
set up certs for trusted CAs
at javax.crypto.f.<clinit>(Unknown Source)
at javax.crypto.m.<clinit>(Unknown Source)
at javax.crypto.b.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.crypto.Cipher.init(Unknown Source)
at com.ibm.crypto.provider.x.a(Unknown Source)
at com.ibm.crypto.provider.JceKeyStore.engineGetKey(Unknown Source)
at java.security.KeyStore.getKey(KeyStore.java:278)
at
com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator.init(KeyStoreKeyLocator.java:222
Symptom 2:
NodeAgent or Application Server does not start.
SytemOut.log output would look as follows in that condition
[6/20/06 13:19:41:305 EDT] 1997059b WsServer E WSVR0003E: Server nodeagent
failed to start
java.lang.NoClassDefFoundError:
com/ibm/ws/security/core/ContextManagerFactory
at
com.ibm.ws.naming.cosbase.WsnOptimizedNamingImplBase.getSecurityContextMgr(WsnOptimizedNamingImplBase.java:2235)
at
com.ibm.ws.naming.cosbase.WsnOptimizedNamingImplBase.popInvocationCredential(WsnOptimizedNamingImplBase.java:2303)
at
com.ibm.ws.naming.cosbase.WsnOptimizedNamingImplBase.resolve_complete_info(WsnOptimizedNamingImplBase.java:1456)
at
com.ibm.ws.naming.cosbase.WsnOptimizedNamingImplBase.resolve(WsnOptimizedNamingImplBase.java:470)
.
.
[6/20/06 13:19:41:398 EDT] 1997059b WsServer E WSVR0009E: Error occurred
during startup
RECOMMENDATION:
None
For WebSphere Application Server versions 5.0,5.0.1, 5.0.2, 5.0.2.1,
5.0.2.2, 5.0.2.3, or 5.0.2.4, the IBM JCE certificate will expire on May
18, 2006 at 21:59:19 GMT. After that date, users will see errors when
using Application Server Security, SSL, J2C security or applications
making calls to IBM's JSSE or JCE directly.
Expected problems if fix hasn't been applied:
Any API call for JCE will fail with following errors:
- java.lang.ExceptionInInitializerError
- java.lang.SecurityException: Cannot set up certs for trusted CAs.
Following is a list of conditions when this error happens:
- Global Security is enabled
- SSL is enabled for HTTP transport
- Application Server stores password for accessing datasource
- Application is using javax.crypt.* class or javax.security.* class
PROBLEM CONCLUSION:
Signed jar verification routine will now accept signed jars with
legitimate certificates even if the certificate has expired.
This APAR corrects a packaging error in Interim Fix PQ85933. There is no
problem with functionality of the APAR. The JCE expiration is
corrected.
Prerequisites
Please download the UpdateInstaller below to install this fix.
If single APAR fix PQ85933 is already applied, please uninstall it before
applying this APAR fix.