|
Abstract |
The issue for "IBM® Java™ Cryptography Extension (JCE)
Expires on 18 May 2006 at 21:59:19 GMT" that may affect more of the
WebSphere® Distributed community, may also affect WebSphere Application
Server for z/OS customers. |
|
Content |
If you read this technote/flash prior to May 25th,
2006, please read this again.
A prior version of this flash indicated ONLY IBM SDK for z/OS release
1.3.1 might be affected with this JCE certificate expiration problem.
Please note there is new information and the IBM SDK for z/OS 1.4.2
release may be affected as well, depending on SR level used AND whether or
not the IBMJCE4758 Hardware Crypto provider is used. The IBMJCE4758
Hardware Crypto provider is relevant for WebSphere Application Server for
z/OS customers only.
Please first read the following flash from the IBM SDK for z/OS support
team for specific details about IBM SDK for z/OS releases affected and
where to obtain fixes:
http://www.ibm.com/support/docview.wss?uid=isg3T1010263
This link will be referred to as the "SDK flash" for the remainder of this
technote.
The IBMJCE4758 Hardware Crypto provider certificate expiration errors
affect the following IBM SDK for z/OS releases used by the WebSphere
Application Server for z/OS:
- IBM Developer Kit for OS/390 , Java 2 Technology Edition,
5655-D35, (SDK1.3.1)
- IBM SDK for z/OS, Java 2 Technology Edition, Version 1.4,
5655-I56 (SDK1.4.2)
Please refer to the SDK flash above for other affected IBM SDK for z/OS
releases.
For the remainder of this technote, these products will be referred to as
SDK131 and SDK142.
If you are not using the IBMJCE4758 Hardware Crypto provider at all, and
are using WebSphere Application Server for z/OS 4.0.1 or 5.0.2, please
skip to #1 below to make sure you have an adequate SDK 1.3.1 SR level so
you don't experience a failure with another kind of JCE certificate
expiration for ibmjcefw.jar.
WebSphere Application Server for z/OS 4.0.1 (R401) and 5.02 (R500) use
SDK131.
WebSphere Application Server for z/OS 5.1.0 (R510) and 6.0.2 (R601) use
SDK142.
For WebSphere Application Server for z/OS 6.0.2 (R601), SDK142 is embedded
and the WebSphere runtime configuration uses the embedded SDK by default.
Per the table in http://www.ibm.com/support/docview.wss?rs=404&context=SS7K4U&uid=swg27006054
WebSphere Application Server for z/OS 6.0.2 fix packs use the following
SDK142 SR levels:
6.0.2 up to and including 6.0.2.4 use SDK142 SR2
6.0.2.5 up to and including 6.0.2.8 use SDK142 SR3
6.0.2.9 up to and including 6.0.2.12 use SDK142 SR4
6.0.2.13 up to and including 6.0.2.16 use SDK142 SR5
6.0.2.17 and above (at the time of this technote update) uses SDK142 SR6
which contains the fix for SDK142 PK25498 (contained in PK25316).
Given that SDK142 SR4 (and SR5) contain JCE jars signed with a certificate
that will not expire until April 26,2008, WebSphere for z/OS 6.0.2.9 and
above are not exposed to this problem until April 26,2008 even if the
IBMJCE4758 Hardware Crypto provider is used. WebSphere Application Server
for z/OS v6 will ship SDK142 PK25498 into the embedded SDK included within
WebSphere Application Server for z/OS v6 in 6.0.2.17.
As noted in the SDK flash above, as long as the following items are true,
WebSphere Application Server for z/OS customers will not experience this
problem with IBMJCE4758 Hardware Crypto provider certificate expiration.
- com.ibm.crypto.hdwrCCA.provider.IBMJCE4758 is not included
in the java.security provider list (SDK 1.3.1 and SDK 1.4.2). In WebSphere
Application Server for z/OS the java.security provider file can be found
in the WebSphere Application Server for z/OS config hfs.
- com.ibm.crypto.hdwrCCA.provider.IBMJCE4758 is not
referenced explicitly by application code
For the remainder of this technote, using any of these will be referred to
as using the "IBMJCE4758 Hardware Crypto provider".
To install the fix from the SDK flash above into WebSphere Application
Server for z/OS release
- 4.0.1, 5.02 or 5.1.0, follow the steps in the SDK flash
"How to install the Temporary Fix".
- 6.0.2, and NOT using the embedded SDK that WebSphere
Application Server for z/OS ships, follow the steps in the SDK flash "How
to install the Temporary Fix".
- 6.0.2, and using the embedded SDK that WebSphere
Application Server for z/OS ships, for fix packs from 6.0.2 up to and
including 6.0.2.8, follow the steps in the SDK flash "How to install the
Temporary Fix". WAS_HOME/java will be a symbolic link from the config hfs
to the SMP/E install hfs directory. For example:
/usr/lpp/zWebSphere/V6R0/java/J1.4/lib/ext/ibmjce4758.jar
Or install 6.0.2.17 (PTFs UK20459, UK20460, UK20461) which embeds SDK142
SR6 which will contain the fix for SDK142 PK25498 (contained in PK25316).
Fix pack 6.0.2.9 embeds SDK142 SR4 which is not immediately affected.
There are two problems pertaining to signing IBM JCE jar files and JCE
certificate expirations. #2 is a problem unique to the z/OS platform and
recently discovered.
#1
WebSphere Application Server for z/OS environments using WebSphere Global
Security, J2C security, or IBM JSSE, or IBM JCE may encounter failures
after May 18 21:59 GMT 2006 upon restarting the WebSphere Application
Server for z/OS server.
JCE certificate expiration related to signing of ibmjcefw.jar is
addressed by PQ84770 in SDK131 SR23 (PTF UQ88094; build level 20040406a),
available since April 2004. This fix for the signing of the ibmjcefw.jar
is included in the SDK142 initial release.
If SDK131 SR level is lower than SR23, then the following failure will be
seen. The fix for SDK131 SR23 or higher needs to be applied.
Exception occurred during event dispatching:
java.lang.ExceptionInInitializerError:
java.lang.SecurityException:
Cannot set up certs for trusted CAs
at javax.crypto.f.<clinit>
at javax.crypto.KeyGenerator.getInstance
- If the IBMJCE4758 Hardware Crypto provider is being used
with any release of WebSphere Application Server for z/OS, see #2
below.
- If the IBMJCE4758 Hardware Crypto provider is NOT being
used, there will be no failures for
WebSphere Application Server for z/OS 4.0.1 or 5.02 with SDK131 SR23 or
above
WebSphere Application Server for z/OS 5.1.0 with SDK142 any SR level
WebSphere Application Server for z/OS 6.0.2 any fix pack and/or with any
SDK142 SR level.
#2
WebSphere z/OS environments using IBMJCE4758 Hardware Crypto provider will
encounter failures after May 18 21:59 GMT 2006 upon restarting the
WebSphere z/OS server.
- This failure is due to the JCE certificate expiration
related to signing of ibmjce4758.jar as indicated by the SDK flash
at the top of this technote. APAR PK25287 for SDK131 and APAR PK25498 for
SDK142 have been created to address the error. Please refer to the SDK
flash at the top of this technote for additional details.
- This failure surfaces as the following exception upon
restart of the WebSphere z/OS server and is due to an expiration of the
JCE certificate.
Exception java.lang.SecurityException: The IBMJCE4758 provider may have
been tampered. caught making new RSAPrivateHWKeySpec
By default, the WebSphere Application Server for z/OS runtime uses JCE
jars shipped by the IBM SDK for z/OS.
Related to #1 above, WebSphere Application Server for z/OS 5.02 also ships
ibmjcefw.jar in the WebSphere Application Server for z/OS 5.02 runtime
hfs. 5.02 is the only WebSphere Application Server for z/OS release that
shipped ibmjcefw.jar in the runtime hfs. No WebSphere Application Server
for z/OS release ever shipped ibmjce4758.jar. The ibmjcefw.jar in the
WebSphere Application Server for z/OS 5.02 runtime hfs is not used by the
WebSphere Application Server for z/OS runtime. The WebSphere Application
Server for z/OS runtime uses the JCE jars shipped with the IBM SDK for
z/OS 1.3.1 product.
In the unlikely event customers pulled the ibmjcefw.jar JCE jar out of
WebSphere Application Server for z/OS 5.02 runtime hfs rather than using
the ibmjcefw.jar shipped by SDK131, the WebSphere Application Server for
z/OS 5.02 apar PK10964 was taken to ship the corrected ibmjcefw.jar.
PK10964 shipped in WebSphere Application Server for z/OS service level
W502034 (PTF UK07674).
If IBMJCE4758 Hardware Crypto provider is being used, there will still be
a failure per #2 above and the temporary fix per the instructions in the
SDK flash above would need to be obtained.
For any iFixes pertaining to problems #1 or #2 above, refer to the SDK
flash at the beginning of the technote.
The corresponding WebSphere Distributed flash (for #1 above) is:
http://www.ibm.com/support/docview.wss?uid=swg21236118 |
|
|
|
|
|
|