PM86382: USING RSA AUTHENTICATION WITH HW CRYPTO FAILS WITH JAVAX.CRYPTO.BADPADDINGEXCEPTION

Fixes are available

APAR status

Closed as program error.

Error description

When Hardware Crypto is used with administrative authentication
set to RSA (which is the default in Base Appserver environment
only) administrative tasks such as app deployments etc., fail.

The Log shows a message like this:

Trace: 2013/02/14 18:32:12.221 01 t=AAF108 c=UNK key=S2
(13007002)
   ThreadId: 0000001e
   FunctionName:
com.ibm.ws.security.auth.rsatoken.RSAPropagationManager
   SourceId:
com.ibm.ws.security.auth.rsatoken.RSAPropagationManager
   Category: SEVERE
   ExtendedMessage: BBOO0220E: JSAS0803E:  The received admin
RSA token failed validation.  The exception message is: The
signature of the rsa token was not verified.


The respective ffdc log entry is:

extracell_extranode_WebSphere_Portal_W64IP11_STC05256_0000068800
000004_c380c38_13.02.14_18.32.11.9104745420026184471791.txt
[2/14/13 18:32:11:910 CET]     FFDC
Exception:javax.crypto.BadPaddingException
SourceId:com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.a
esDecryptBytes ProbeId:919
Reporter:com.ibm.ws.security.auth.rsatoken.RSAPropagationToken@1
df11df1
javax.crypto.BadPaddingException: Given final block not
properly padded
 at com.ibm.crypto.provider.AESCipher.engineDoFinal(Unknown
Source)
 at com.ibm.crypto.provider.AESCipher.engineDoFinal(Unknown
Source)
 at javax.crypto.Cipher.doFinal(Unknown Source)
 at
com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.aesDecrypt
Bytes(RSAPropagationToken.java:952)
 at
com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.decryptAnd
VerifyRSAToken(RSAPropagationToken.java:719)
 at
com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.readRSAPro
pagationTokenV1Bytes(RSAPropagationToken.java:387)
 at
com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.readBytes(
RSAPropagationToken.java:298)
 at
com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.<init>(RSA
PropagationToken.java:116)
 at
com.ibm.ws.security.auth.rsatoken.RSAPropagationManager.validate
RSAPropagationToken(RSAPropagationManager.java:296)
 at
com.ibm.ISecurityLocalObjectTokenBaseImpl.WSSecurityContextAdmin
RSAPropImpl.acceptSecContext(WSSecurityContextAdminRSAPropImpl.j
ava:342)
 at
com.ibm.ISecurityLocalObjectTokenBaseImpl.WSSecurityContextAdmin
RSAPropImpl.acceptSecContext(WSSecurityContextAdminRSAPropImpl.j
ava:246)
 at
com.ibm.ISecurityLocalObjectTokenBaseImpl.WSSecurityContextAdmin
RSAPropImpl.acceptSecContext(WSSecurityContextAdminRSAPropImpl.j
ava:238)
 at
com.ibm.ws.management.connector.soap.SOAPConnector.tokenBasedAut
h(SOAPConnector.java:584)
 at
com.ibm.ws.management.connector.soap.SOAPConnector.service(SOAPC
onnector.java:216)
 at
com.ibm.ws.management.connector.soap.SOAPConnection.handleReques
t(SOAPConnection.java:65)
 at
com.ibm.ws.http.HttpConnection.readAndHandleRequest(HttpConnecti
on.java:733)
 at
com.ibm.ws.http.HttpConnection.run(HttpConnection.java:522)
 at
com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1613)

Local fix

```
Use LTPA instead of RSA
```

Problem summary

****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server V7.0, V8.0 and V8.5                  *
****************************************************************
* PROBLEM DESCRIPTION: RSA tokens fail to be                   *
*                      decrypted/encrypted when using some     *
*                      Hardware Crypto cards.                  *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Some hardware crypto cards are not
compatible with the RSA software keys.
resulting in "The signature of the rsa
token was not verified."

Problem conclusion

Security Custom Property
com.ibm.ws.security.rsa.forceSoftwareJCEProviderForRSA has
been added to utilize the default software JCE provider,
instead of IBMJCECCA if set to "true".

APAR PM86382 requires changes to documentation.

NOTE: Periodically, we refresh the documentation on our Web
site, so the changes might have been made before you read this
text. To access the latest on-line documentation, go to the
product library page at:

http://www.ibm.com/software/webservers/appserv/library

The following changes to the WebSphere Application Server
Version 7.0 Information Center will be made available in
December, 2013.

Topic "Security custom properties" will be updated to include
the description of the following custom property:

com.ibm.ws.security.rsa.forceSoftwareJCEProviderForRSA

Use the com.ibm.ws.security.rsa.forceSoftwareJCEProviderForRSA
custom property to force RSA token validation to be done in
software.

Some hardware crypto cards are not compatible with the RSA
tokens. If you receive the message "The signature of the rsa
token was not verified", you might need to use the LTPA
authentication mechanism instead of RSA tokens for security
validation. To change your security validation settings, in
the administrative console:

- Click Global security > Administrative authentication", and
unselect "RSA token".
- Select "Only use the active application authentication
mechanism".
- Add the
com.ibm.ws.security.rsa.forceSoftwareJCEProviderForRSA custom
property to your security settings and set it to "true".

When this property is set to "true", the default software JCE
provider, instead of IBMJCECCA, is used for security
validation.

Default:    false

APAR PM86382 is currently targeted for inclusion in WebSphere
Application Server Fix Packs 7.0.0.31, 8.0.0.8, and 8.5.5.2
of WebSphere Application Server.

Please refer to URL:
//www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
for Fix Pack availability.

Temporary fix

Comments

APAR Information

APAR number
PM86382
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-04-04
Closed date
2013-07-30
Last modified date
2014-02-05

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500

Applicable component levels

R700 PSY UI13725
UP14/01/11 P F401

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 April 2022

Tips

PM86382: USING RSA AUTHENTICATION WITH HW CRYPTO FAILS WITH JAVAX.CRYPTO.BADPADDINGEXCEPTION

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R700 PSY UI13725

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

Document Information

Share your feedback

Need support?