SAP reports Java Agent is altering IAIK certificates issue .
search cancel

SAP reports Java Agent is altering IAIK certificates issue .

book

Article ID: 376139

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

For SAP java application the Java services are failing upon restart this is due to  Java agent is causing the following issue


The issue is related to Java agent interfering to the IAIK crypto provider when the latter is loading trusted certificates for establishing an outbound TLS connection.
Switching Java agent off leads to normal behavior of IAIK, whereas switching Java agent on leads to the problem.
The symptom of the problem is that valid CA certificates are being recognized as not signed."

Also identified that when the java agent is enabled then  the  application certificates are being altered(signed certificates become unsigned) intermittently.=

Environment

 SAP Release: 10.8 SP00 Patch 1 using Introscope agent build 2023.5.1.13

Resolution

skip this class X509Certificate alone instead of the complete iaik package.

SkipClass: iaik.x509.X509Certificate

Same can be suggested to other customer if they are using iaik package. The impact is only on traces if the class(x509certificate) is involved in any of the call stack from the application.

Additional Information

iaik classes are being instrumented as below

Processing class iaik/security/ec/math/curve/BinaryWeierstrassCurveFactory
62040          XfsEventsQueue.run:70              inserted method tracer object allocation: com/wily/introscope/agent/async/AsyncThreadFragmentCorrelationTracer
62041          XfsEventsQueue                     New Field is added  fieldName = __Wily_txnContext fieldDesc = Ljava/util/concurrent/atomic/AtomicReference;
Processing class iaik/security/ssl/ac
61019          ..aceabilityConfiguration.main:353 Inserted startup call to com/wily/introscope/agent/AgentShim.ProbeBuilderEntryPoint_initializeAgentShim()
Processing class iaik/security/ec/math/field/t
61283          SequenceDataOptimizer              New Field is added  fieldName = __Wily_txnContext fieldDesc = Ljava/util/concurrent/atomic/AtomicReference;
61284          SequenceDataOptimizer.run:41       inserted method tracer object allocation: com/wily/introscope/agent/async/AsyncThreadFragmentCorrelationTracer

Processing class iaik/security/ec/math/curve/at
61412          ParameterHandler$1.run:885         inserted method tracer object allocation: com/wily/introscope/agent/async/AsyncThreadFragmentCorrelationTracer
61413          ParameterHandler$1                 New Field is added  fieldName = __Wily_txnContext fieldDesc = Ljava/util/concurrent/atomic/AtomicReference;

Processing class iaik/security/ec/math/curve/aC
61435          ConfigRegistryImpl.startup:456     inserted method tracer object allocation: com/wily/introscope/agent/trace/hc2/BlamePointTracer
61436          ConfigRegistryImpl.load:693        inserted method tracer object allocation: com/wily/introscope/agent/trace/hc2/BlamePointTracer
Processing class iaik/x509/CertificateFactory
61717          AbstractLeanHashMap.main:492       Inserted startup call to com/wily/introscope/agent/AgentShim.ProbeBuilderEntryPoint_initializeAgentShim()

Processing class iaik/pkcs/pkcs7/SignedAndEnvelopedData
62100          CacheOptimizer.run:99              inserted method tracer object allocation: com/wily/introscope/agent/async/AsyncThreadFragmentCorrelationTracer
62101          CacheOptimizer                     New Field is added  fieldName = __Wily_txnContext fieldDesc = Ljava/util/concurrent/atomic/AtomicReference;
62102  Processing class com/sap/glx/deploy/impl/DeployControllerImpl