VOOZH about

URL: https://www.ibm.com/support/pages/apar/PH59794

⇱ PH59794: TLS HANDSHAKE ISSUE WITH SAF DB RSA SOFTWARE KEY WITH IBMJCEHYBRID AND IBMJCECCA

PH59794: TLS HANDSHAKE ISSUE WITH SAF DB RSA SOFTWARE KEY WITH IBMJCEHYBRID AND IBMJCECCA

APAR status

  • Closed as program error.

Error description

  • Error Message: A TLS handshake error can happen when using
IBMJCEHYBRID as the first security provider and using a
JCECCARACFKS keystore with the cert RSA private key stored in
the SAF database versus ICSF PKDS.
.
Stack Trace: IBMJCEHybridException: Object state does not permit
failover.
Exception#0 java.security.InvalidKeyException: Key is not
RSASSA-PSS compatible
Stack Trace:
at
com.ibm.crypto.hdwrCCA.provider.RSAPSSSignature.engineInitSign(R
SAPSSSignature.java:99)
at
java.security.Signature$Delegate.engineInitSign(Signature.java:1
337)
at java.security.Signature.initSign(Signature.java:627)
at
com.ibm.crypto.ibmjcehybrid.provider.HybridSignature.initSign(Hy
bridSignature.java:1012)
at
com.ibm.crypto.ibmjcehybrid.provider.HybridSignature.engineInitS
ign(HybridSignature.java:952)
at
java.security.SignatureSpi.engineInitSign(SignatureSpi.java:141)
.

Local fix

  • Using the RSA software keys in the ICSF PKDS or RACF and loading
them using JCEHYBRIDRACFKS or JCECCARACFKS can resolve the
issue.

Problem summary

  • A TLS handshake error can happen when using IBMJCEHYBRID as the
first security provider and using a JCECCARACFKS keystore with
the cert RSA private key stored in the SAF database versus ICSF
PKDS.

Problem conclusion

  • The RSA Software keys are translated properly to be processed by
IBMJCEHYBRID to proceed with the TLS handshake.
.
This APAR will be fixed in the following Releases:
.
IBM Semeru Runtimes
 11 11.0.23.0
 17 17.0.11.0
IBM SDK, Java Technology Edition
 8 SR8 FP25 8.0.8.25
.
Downloads and supplementary documentation can be found at the
following locations:
- For the z/OS operating system:
 - Java SDK Products on z/OS
 https://www.ibm.com/support/pages/java-sdk-products-zos

Temporary fix



Comments


    



APAR Information




    

  • APAR number
    PH59794
    • 

  • Reported component name
    JAVA Z/OS 64
    • 

  • Reported component ID
    620700104
    • 

  • Reported release
    800
    • 

  • Status
    CLOSED PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2024-02-14
    • 

  • Closed date
    2024-02-15
    • 

  • Last modified date
    2024-04-20
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    JAVA Z/OS 64
    • 

  • Fixed component ID
    620700104
    • 



Applicable component levels







 
 
 
 

 [{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"800","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]
 

 

 
 
 

 

 

 

 

 

 
Document Information


 

 

 Modified date:
 

 21 April 2024