VOOZH about

URL: https://www.ibm.com/support/pages/apar/IV71425

⇱ IV71425: IKEYMAN/CAPICMD DISCREPANCY & REVIEW CA CERTS INCLUDED IN IKEYMA N & IKEYMAN PROBLEM WITH REISSUED/MULIPATH CERTS

IV71425: IKEYMAN/CAPICMD DISCREPANCY & REVIEW CA CERTS INCLUDED IN IKEYMA N & IKEYMAN PROBLEM WITH REISSUED/MULIPATH CERTS

APAR status

  • Closed as program error.

Error description

  • Error Message: Pb 1. For keystore (say QMP3C_DOE.kdb), ikeyman
reports that wmqca is trusted whereas gsk8capicmd says it is not
trusted.Pb 2. Review new CA certificates : Some new Entrust CA's
are not in IKeymanPb 3. gsk8capicmd allows all three CA's to be
added to a keystore, but Ikeyman (8.0.373) replaces the first G5
cert with the subsequent G5 cert.
.
Stack Trace: N/A
.

Local fix



Problem summary


    

  • Pb 1. QMP3C_DOE.kdb (working) has no deleted records
andQMP4C_DOE.kdb (not working) has a deleted wmqca record and a
new one with trusted=false. We discovered that the CMS provider
does not ignore keystore records that have the "DELETED" flag
set. The QMP4C_DOE.kdb has the deleted wmqca record that is
trusted and the non-deleted not-trusted record and ikeyman
thinks the deleted one is valid. Therefore, gsk8capicmd is
correct and ikeyman (cmsprovider) is incorrectly reporting that
cert attribute.Pb 2. Entrust has been using a new CA to issue
certificates for customers and that these CA's are not in
iKeyman.Pb 3. iKeyman is treating the cert as a duplicate as it
has the same public key. This behaviour is not right and not
inline with gskcapicmd.



Problem conclusion


    

  • Pb 1. The fix is in cmsprovider should not take into account the
"DELETED" records.Pb 2. The following new Entrust CA's were
added "Entrust.net Certification Authority (2048) 29", "Entrust
Root Certification Authority - EC1", "Entrust Root Certification
Authority - EV", "Entrust Root Certification Authority - G2".Pb
3. CMS Provider matches entries by comparing the public key, not
the whole certificate. That makes it treat certs for the same
keypair as identical which they are not. The proposal is to
change the code to match the whole cert, same as gsk8capicmd.
.
This APAR will be fixed in the following Java Releases:
 6 SR16 FP4 (6.0.16.4)
 7 SR9 (7.0.9.0)
 7 R1 SR3 (7.1.3.0)
 6 R1 SR8 FP4 (6.1.8.4)
 8 SR1 (8.0.1.0)
.
Contact your IBM Product's Service Team for these Service
Refreshes and Fix Packs.
For those running stand-alone, information about the Service
Refreshes and Fix Packs can be found at:
 https://www.ibm.com/developerworks/java/jdk/



Temporary fix


    



Comments


    



APAR Information




    

  • APAR number
    IV71425
    • 

  • Reported component name
    SECURITY
    • 

  • Reported component ID
    620700125
    • 

  • Reported release
    600
    • 

  • Status
    CLOSED PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2015-03-24
    • 

  • Closed date
    2015-03-27
    • 

  • Last modified date
    2015-03-27
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
IV71426
    

    • 




    

  • Fixed component name
    SECURITY
    • 

  • Fixed component ID
    620700125
    • 



Applicable component levels


    

  • R600 PSY
       UP
    • 

  • R260 PSY
       UP
    • 

  • R270 PSY
       UP
    • 







 
 
 
 

 [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
 

 

 
 
 

 

 

 

 

 

 
Document Information


 

 

 Modified date:
 

 07 December 2020