Fix (APAR): PH42162 Status: Fix Release: 8.5.5.21,8.5.5.20 Operating System: AIX,IBM i,Linux,Windows,z/OS Supersedes Fixes: CMVC Defect: xxxxxx Byte size of APAR: 693751 Date: 2022-05-17 Abstract: chained certificate creation fails with "signer ski format must match signed aki format" error Description/symptom of problem: PH42162 resolves the following problem: ERROR DESCRIPTION: WebSphere fails to create a chained certificate. The following error message is printed in the log. 3008-737 A certificate attribute was not recognised. (wraps: com.ibm.security.cerrclient.base.PkRejectionException: Signer SKI format must match signed AKI format): ------Sample error -------------------------------------------- [11/5/21 9:20:10:033 CET] 0000017a CreateCMSKeyS 3 Exception creating CMS keystore. com.ibm.security.certclient.base.PkRejectionException: 3008-737 A certificate attribute was not recognised. (wraps: com.ibm.security.cer\ tclient.base.PkRejectionException: Signer SKI format must match signed AKI format): com.ibm.security.certclient.base.PkRejectionException: Signer SKI format must match signed AKI format at com.ibm.security.certclient.util.PkNewCertFactory.computeAut horityKID(UnknownSource) at com.ibm.security.certclient.util.PkNewCertFactory.access$000 (UnknownSource) at com.ibm.security.certclient.util.PkNewCertFactory$PkNewCertI mpl.generatenewCertificate(UnknownSource) at com.ibm.security.certclient.util.PkNewCertFactory$PkNewCertI mpl.(UnknownSource) at com.ibm.security.certclient.util.PkNewCertFactory.newCert(Un knownSource) LOCAL FIX: PROBLEM SUMMARY: USERS AFFECTED: All users of IBM WebSphere Application Server who replaced the server root certificate that contains standard SKI PROBLEM DESCRIPTION: After Java update. while creating a chained certificate, com.ibm.security.certclient.base.PkReje ct ionException is thrown. RECOMMENDATION: None After Java update, the following error: com.ibm.security.certclient.base.PkRejectionException: Signer SKI format must match signed AKI format is thrown during a chained certificate creation. The recent Java version started to check if the chained certificate's Authority Key Identifier (AKI) format matches it's root signer's Subject Key Identifier (SKI) format. WebSphere had been specifying short SKI/AKI format when calling Java API to create certificate creation. If the root certificate has a SKI format that is not short format, Java throws the above Exception as the SKI format does not match. Servers that use WebSphere's default root certificate is not affected by this issue as it contains SKI in short format. Servers that has the root certificate from the 3rd party certificate (CA certificate or created by iKeyman, keytool, openssl etc) would be affected. --- Keytool output of SKI ------------- Root certificate key tool output The following shows longer SKI. #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 21 f5 0a 11 ec 2c 29 b2 98 5d fe ba b5 cd 9a f6 ................ 0010: 3c 87 27 7b .... ] ] The following SKI is shorter SKI from WebSphere's default root certificate #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 42 1a 4d 93 55 fd 10 7d ] ] The Java change was introduced with the following APAR https://www.ibm.com/support/pages/apar/IJ32593 included in the following Java Releases: 8 SR6 FP35 (8.0.6.35) 7 SR10 FP90 (7.0.10.90) 7 R1 SR4 FP90 (7.1.4.90) PROBLEM CONCLUSION: The certificate creation code has been updated to match the SKI/AKI format. The fix for this APAR is targeted for inclusion in fix pack 8.5.5.22 and 9.0.5.13. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553 Directions to apply fix: NOTE: Mark with an X the: 1) Release the fix applies to 2) The Editions that apply 3) And then DELETE THIS NOTE Fix applies to Editions: Release 8.5 _x_ Application Server (Express or BASE) _x_ Network Deployment (ND) __ Liberty Core __ Edge Components __ Developer Install Fix to all WebSphere installations unless special instructions are included below. Special Instructions: In order for the fix for APAR PH42162 to work properly, the fix for Java APAR 8.0.7.6+IJ39703+IJ39631 must also be installed. That fix can be found at https://www.ibm.com/support/pages/node/6585782 Although the fix for APAR PH42162 functionally requires the Java fix for APAR 8.0.7.6+IJ39703+IJ39631, the Installation Manager will not prevent the installation of PH42162 if 8.0.7.6+IJ39703+IJ39631 is not present. NOTE: The user must: * Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V1.4.3 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required. The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes. http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp. Shutdown WebSphere Application Server before applying the iFixes. Restart WebSphere Application Server after applying the iFixes. Directions to remove fix: The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes. http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp. Shutdown WebSphere Application Server before removing the iFixes. Restart WebSphere Application Server after removing the iFixes. Directions to re-apply fix: 1) Shutdown WebSphere Application Server. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere Application Server. Additional Information: In order for the fix for APAR PH42162 to work properly, the fix for Java APAR 8.0.7.6+IJ39703+IJ39631 must also be installed. That fix can be found at https://www.ibm.com/support/pages/node/6585782 In special instruction: Although the fix for APAR PH42162 functionally requires the Java fix for APAR 8.0.7.6+IJ39703+IJ39631, the Installation Manager will not prevent the installation of PH42162 if 8.0.7.6+IJ39703+IJ39631 is not present.