Installation: "IBM Java Cryptography Extension (JCE) Expires on 18 May 2006 at 21:59:19 GMT. " may affect WebSphere Application Server for z/OS
 Flash (Alert)
 
Abstract
The issue for "IBM® Java™ Cryptography Extension (JCE) Expires on 18 May 2006 at 21:59:19 GMT" that may affect more of the WebSphere® Distributed community, may also affect WebSphere Application Server for z/OS customers.
 
Content
If you read this technote/flash prior to May 25th, 2006, please read this again.

A prior version of this flash indicated ONLY IBM SDK for z/OS release 1.3.1 might be affected with this JCE certificate expiration problem. Please note there is new information and the IBM SDK for z/OS 1.4.2 release may be affected as well, depending on SR level used AND whether or not the IBMJCE4758 Hardware Crypto provider is used. The IBMJCE4758 Hardware Crypto provider is relevant for WebSphere Application Server for z/OS customers only.

Please first read the following flash from the IBM SDK for z/OS support team for specific details about IBM SDK for z/OS releases affected and where to obtain fixes:
http://www.ibm.com/support/docview.wss?uid=isg3T1010263
This link will be referred to as the "SDK flash" for the remainder of this technote.

The IBMJCE4758 Hardware Crypto provider certificate expiration errors affect the following IBM SDK for z/OS releases used by the WebSphere Application Server for z/OS:
  • IBM Developer Kit for OS/390 , Java 2 Technology Edition, 5655-D35, (SDK1.3.1)
  • IBM SDK for z/OS, Java 2 Technology Edition, Version 1.4, 5655-I56 (SDK1.4.2)
Please refer to the SDK flash above for other affected IBM SDK for z/OS releases.
For the remainder of this technote, these products will be referred to as SDK131 and SDK142.

If you are not using the IBMJCE4758 Hardware Crypto provider at all, and are using WebSphere Application Server for z/OS 4.0.1 or 5.0.2, please skip to #1 below to make sure you have an adequate SDK 1.3.1 SR level so you don't experience a failure with another kind of JCE certificate expiration for ibmjcefw.jar.

WebSphere Application Server for z/OS 4.0.1 (R401) and 5.02 (R500) use SDK131.
WebSphere Application Server for z/OS 5.1.0 (R510) and 6.0.2 (R601) use SDK142.

For WebSphere Application Server for z/OS 6.0.2 (R601), SDK142 is embedded and the WebSphere runtime configuration uses the embedded SDK by default. Per the table in http://www.ibm.com/support/docview.wss?rs=404&context=SS7K4U&uid=swg27006054
WebSphere Application Server for z/OS 6.0.2 fix packs use the following SDK142 SR levels:
6.0.2 up to and including 6.0.2.4 use SDK142 SR2
6.0.2.5 up to and including 6.0.2.8 use SDK142 SR3
6.0.2.9 up to and including 6.0.2.12 use SDK142 SR4
6.0.2.13 up to and including 6.0.2.16 use SDK142 SR5
6.0.2.17 and above (at the time of this technote update) uses SDK142 SR6 which contains the fix for SDK142 PK25498 (contained in PK25316).

Given that SDK142 SR4 (and SR5) contain JCE jars signed with a certificate that will not expire until April 26,2008, WebSphere for z/OS 6.0.2.9 and above are not exposed to this problem until April 26,2008 even if the IBMJCE4758 Hardware Crypto provider is used. WebSphere Application Server for z/OS v6 will ship SDK142 PK25498 into the embedded SDK included within WebSphere Application Server for z/OS v6 in 6.0.2.17.

As noted in the SDK flash above, as long as the following items are true, WebSphere Application Server for z/OS customers will not experience this problem with IBMJCE4758 Hardware Crypto provider certificate expiration.
  • com.ibm.crypto.hdwrCCA.provider.IBMJCE4758 is not included in the java.security provider list (SDK 1.3.1 and SDK 1.4.2). In WebSphere Application Server for z/OS the java.security provider file can be found in the WebSphere Application Server for z/OS config hfs.
  • com.ibm.crypto.hdwrCCA.provider.IBMJCE4758 is not referenced explicitly by application code
For the remainder of this technote, using any of these will be referred to as using the "IBMJCE4758 Hardware Crypto provider".

To install the fix from the SDK flash above into WebSphere Application Server for z/OS release
  • 4.0.1, 5.02 or 5.1.0, follow the steps in the SDK flash "How to install the Temporary Fix".
  • 6.0.2, and NOT using the embedded SDK that WebSphere Application Server for z/OS ships, follow the steps in the SDK flash "How to install the Temporary Fix".
  • 6.0.2, and using the embedded SDK that WebSphere Application Server for z/OS ships, for fix packs from 6.0.2 up to and including 6.0.2.8, follow the steps in the SDK flash "How to install the Temporary Fix". WAS_HOME/java will be a symbolic link from the config hfs to the SMP/E install hfs directory. For example:
    /usr/lpp/zWebSphere/V6R0/java/J1.4/lib/ext/ibmjce4758.jar
    Or install 6.0.2.17 (PTFs UK20459, UK20460, UK20461) which embeds SDK142 SR6 which will contain the fix for SDK142 PK25498 (contained in PK25316).
    Fix pack 6.0.2.9 embeds SDK142 SR4 which is not immediately affected.


There are two problems pertaining to signing IBM JCE jar files and JCE certificate expirations. #2 is a problem unique to the z/OS platform and recently discovered.

#1
WebSphere Application Server for z/OS environments using WebSphere Global Security, J2C security, or IBM JSSE, or IBM JCE may encounter failures after May 18 21:59 GMT 2006 upon restarting the WebSphere Application Server for z/OS server.
JCE certificate expiration related to signing of ibmjcefw.jar is addressed by PQ84770 in SDK131 SR23 (PTF UQ88094; build level 20040406a), available since April 2004. This fix for the signing of the ibmjcefw.jar is included in the SDK142 initial release.
If SDK131 SR level is lower than SR23, then the following failure will be seen. The fix for SDK131 SR23 or higher needs to be applied.
Exception occurred during event dispatching:
java.lang.ExceptionInInitializerError:
java.lang.SecurityException:
Cannot set up certs for trusted CAs
at javax.crypto.f.<clinit>
at javax.crypto.KeyGenerator.getInstance
  • If the IBMJCE4758 Hardware Crypto provider is being used with any release of WebSphere Application Server for z/OS, see #2 below.
  • If the IBMJCE4758 Hardware Crypto provider is NOT being used, there will be no failures for
    WebSphere Application Server for z/OS 4.0.1 or 5.02 with SDK131 SR23 or above
    WebSphere Application Server for z/OS 5.1.0 with SDK142 any SR level
    WebSphere Application Server for z/OS 6.0.2 any fix pack and/or with any SDK142 SR level.

#2
WebSphere z/OS environments using IBMJCE4758 Hardware Crypto provider will encounter failures after May 18 21:59 GMT 2006 upon restarting the WebSphere z/OS server.
  • This failure is due to the JCE certificate expiration related to signing of ibmjce4758.jar as indicated by the SDK flash at the top of this technote. APAR PK25287 for SDK131 and APAR PK25498 for SDK142 have been created to address the error. Please refer to the SDK flash at the top of this technote for additional details.
  • This failure surfaces as the following exception upon restart of the WebSphere z/OS server and is due to an expiration of the JCE certificate.
    Exception java.lang.SecurityException: The IBMJCE4758 provider may have
    been tampered. caught making new RSAPrivateHWKeySpec


By default, the WebSphere Application Server for z/OS runtime uses JCE jars shipped by the IBM SDK for z/OS.

Related to #1 above, WebSphere Application Server for z/OS 5.02 also ships ibmjcefw.jar in the WebSphere Application Server for z/OS 5.02 runtime hfs. 5.02 is the only WebSphere Application Server for z/OS release that shipped ibmjcefw.jar in the runtime hfs. No WebSphere Application Server for z/OS release ever shipped ibmjce4758.jar. The ibmjcefw.jar in the WebSphere Application Server for z/OS 5.02 runtime hfs is not used by the WebSphere Application Server for z/OS runtime. The WebSphere Application Server for z/OS runtime uses the JCE jars shipped with the IBM SDK for z/OS 1.3.1 product.

In the unlikely event customers pulled the ibmjcefw.jar JCE jar out of WebSphere Application Server for z/OS 5.02 runtime hfs rather than using the ibmjcefw.jar shipped by SDK131, the WebSphere Application Server for z/OS 5.02 apar PK10964 was taken to ship the corrected ibmjcefw.jar. PK10964 shipped in WebSphere Application Server for z/OS service level W502034 (PTF UK07674).

If IBMJCE4758 Hardware Crypto provider is being used, there will still be a failure per #2 above and the temporary fix per the instructions in the SDK flash above would need to be obtained.

For any iFixes pertaining to problems #1 or #2 above, refer to the SDK flash at the beginning of the technote.

The corresponding WebSphere Distributed flash (for #1 above) is:
http://www.ibm.com/support/docview.wss?uid=swg21236118
 
 
 


Document Information


Current web document: swg21238056.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS > Java Security (JSSE/JCE)
Operating system(s): z/OS
Software version: 6.0.2
Software edition:
Reference #: 1238056
IBM Group: Software Group
Modified date: May 25, 2006