VOOZH about

URL: https://www.ibm.com/support/pages/apar/PH56022

⇱ PH56022: TLSV1.3 SUPPORT USING RACF RSA HARDWARE AND SOFTWARE KEYS WITH DIFFERENT SIGNING ALGORITHMS

PH56022: TLSV1.3 SUPPORT USING RACF RSA HARDWARE AND SOFTWARE KEYS WITH DIFFERENT SIGNING ALGORITHMS

APAR status

  • Closed as program error.

Error description

  • Error Message: When a user tries to use RACF RSA keys, it may
get one of the following errors, if the signing algorithm is not
RSASSA-PSS:
javax.net.ssl.SSLException: No supported CertificateVerify
signature algorithm for RSA key
java.security.InvalidKeyException: No installed provider
supports this key: com.ibm
.crypto.hdwrCCA.provider.RSAPrivateHWKey
java.security.spec.InvalidParameterSpecException: Inappropriate
parameter specification
javax.net.ssl.SSLHandshakeException: The Finished message cannot
be verified.
.
Stack Trace: javax.net.ssl.SSLHandshakeException: The Finished
message cannot be verified.
at java.base/sun.security.ssl.Alert.createSSLException
at java.base/sun.security.ssl.Alert.createSSLException
at java.base/sun.security.ssl.TransportContext.fatal
at java.base/sun.security.ssl.TransportContext.fatal
at java.base/sun.security.ssl.TransportContext.fatal
at java.base/sun.security.ssl.Finished$FinishedMessage.<init>
at
java.base/sun.security.ssl.Finished$T13FinishedConsumer.onConsum
eFinished
at
java.base/sun.security.ssl.Finished$T13FinishedConsumer.consume
at java.base/sun.security.ssl.SSLHandshake.consume
.

Local fix

  • Users need to use RACF RSA keys with RSASSA-PSS signing
algorithms keys or EC keys to be used over TLSv1.3 which are
supported.

Problem summary

  • The RACF RSA keys with RSASSA-PSS signing algorithm are
supported for TLSv1.3. But users may encounter a TLS handshake
error if they use a RACF keystone containing RSA keys without
RSASSA-PSS signing algorithm. In this case, the users may see
the following error message:
No supported CertificateVerify signature algorithm for RSA key
.
This issue was introduced in Java 11.0.19 (PTF UI91990 /
UI91991) and Java 8.0.8.5 (PTF UI92054 / UI92067), by changes
for an earlier fix: APAR PH52876.

Problem conclusion

  • The support for RACF RSA hardware and software keys is added.
So, the user can use different RSA key types with different
signing algorithms.
.
This APAR will be fixed in the following Releases:
.
IBM Semeru Runtimes
 11 11.0.19.1
IBM SDK, Java Technology Edition
 8 SR8 FP15 (8.0.8.15)
.
Contact your IBM Product's Service Team for these Service
Refreshes and Fix Packs.
For those running stand-alone, information about the available
maintenance can be found at:
 https://www.ibm.com/support/pages/java-sdk

Temporary fix



Comments


    



APAR Information




    

  • APAR number
    PH56022
    • 

  • Reported component name
    JAVA Z/OS 64
    • 

  • Reported component ID
    620700104
    • 

  • Reported release
    B00
    • 

  • Status
    CLOSED PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2023-07-26
    • 

  • Closed date
    2023-07-26
    • 

  • Last modified date
    2023-09-21
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    JAVA Z/OS 64
    • 

  • Fixed component ID
    620700104
    • 



Applicable component levels







 
 
 
 

 [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"B00","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
 

 

 
 
 

 

 

 

 

 

 
Document Information


 

 

 Modified date:
 

 22 September 2023