IV96797: MULTIPLE PRIVATE KEYS FOR THE SAME PKCS#11 CERTIFICATE OBJECT ON THE TOKEN

APAR status

• Closed as program error.

Error description

• Error Message: SSL handshake generates x'15' alert - Decryption
  Failed
  .
  Stack Trace: N/A
  .
  

Local fix

• This can be fixed by cleaning the old CKO_PRIVATE_KEY objects
  off the token
  

Problem summary

• The problem is that the PKCS#11 device had multiple private key
  objects associated with the same certificate i.e. multiple
  CKO_PRIVATE_KEY objects with the CKA_ID attribute that match the
  certificate.
  

Problem conclusion

• The problem occurs when the user attempts to recreate the
  PKCS#11 certificate/private key with duplicate label. Though
  iKeyman rejects the request with "Duplicate entry already
  exists", private/public keypair objects are already generated on
  the token. This results in dangling private key objects with the
  duplicate CKA_ID/CKA_LABEL attributes.
  Ths fix is - iKeyman will run the duplicate label validation
  check before private/public key pair objects are generated.
  .
  This APAR will be fixed in the following Java Releases:
   8 SR4 FP10 (8.0.4.10)
   7 SR10 FP10 (7.0.10.10)
   6 SR16 FP50 (6.0.16.50)
   6 R1 SR8 FP50 (6.1.8.50)
   7 R1 SR4 FP10 (7.1.4.10)
  .
  Contact your IBM Product's Service Team for these Service
  Refreshes and Fix Packs.
  For those running stand-alone, information about the available
  Service Refreshes and Fix Packs can be found at:
   https://www.ibm.com/developerworks/java/jdk/
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

• Fixed component name

  SECURITY

• Fixed component ID

  620700125

Applicable component levels

• R270 PSY

     UP

• R260 PSY

     UP

• R600 PSY

     UP