IBM Global Security Kit is a library that is used by
many IBM products to provide cryptographic functions - encrypting data, hashing passwords, etc. It is generally a good security practise to keep your GSKit at the latest release version, to ensure the highest level of protection for your data and communications.
In one of the most recent FixPacks of GSKit (8.0.55.26+), IBM added 'post quantum cryptography' support to key databases. "Post-Quantum Cryptography" ('PQC') refers to cryptographic methods that are resistant to factoring attacks against standard cryptographic methods that are quickly becoming feasible due to advances in quantum computing. This change breaks CMOD v10.5.0.7 (and likely all lower versions).
With the latest GSKit Fixpack, there was no notification, no included README file, and no updated documentation released to describe the change. It is considered bad software development practise to introduce a change that breaks upstream products, and enable that change by default in minor or 'fix' releases.
CMOD bears some of the responsibility for this issue, as it currently ignores the unreadable key database, didn't produce any error messages (or pass through the GSKit errors), and arssockd starts up, exposing an unresponsive SSL/TLS port on the server's network interface. Only through extensive server tracing can a cryptic and uninformative GSKit error message be found.
This issue affects both server and client software. Key Databases must be re-created for both using an undocumented option in order to work with the latest Content Manager OnDemand FixPacks.
Other products may experience similar issues if key databases are created with the latest versions of GSKit.
More information and a solution can be found here:
https://cmod.wiki/index.php?title=IBM_Content_Manager_OnDemand_v10.5.0.7_and_GSKit_support_for_Post-Quantum_Cryptography-JD.
