| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Java key size encryption - restricted |
« View previous topic :: View next topic » |
| Author |
Message
|
| avieira |
 Posted: Thu Aug 11, 2016 4:35 am Post subject: Java key size encryption - restricted |
 |
|
Newbie
Joined: 11 Aug 2016
Posts: 5
|
We're trying to decrypt an AES message using a JCN but we're getting an exception concerning illegal key size.
A bit of googling explains that Java restricts usage of encryption algorithms to 128-bit keys, which goes against our 256-bit key.
It is suggested to replace 2 jar files in the security folder of our local Java installation (local_policy.jar and US_export_policy.jar). In our case it would be WMB/IIB's java folder.
Those 2 jar files are composed of *.policy files used to restrict security policy. When we tried replacing them all our SFTP connections started to fail and the syslog showed multiple: java.lang.NoClassDefFoundError: javax.crypto.b (initialization failure).
I did try editing those policy files manually to allow AES 256-bit, but we keep getting the same exceptions.
Has anyone tried to do something similar?
In case it is relevant we're using the old un-supported WMB v7006 on a linux server. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Aug 11, 2016 4:48 am Post subject: Re: Java key size encryption - restricted |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| avieira wrote: |
| In case it is relevant we're using the old un-supported WMB v7006 on a linux server. |
It's very relevant. Are you sure the (very old) JVM that goes with that unsupported version supports a key that wide? Is compatible with the policies / jar files you're using?
It works for me under v9.0.0.5. For the benefit of possibly skeptical regular readers and in the interests of full disclosure, I didn't make the changes myself but approved them and watched in a supervisory manner as my minions changed jar files and other Java magics.
I think I did a very creditable job of looking like I knew what was happening....
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Aug 11, 2016 5:01 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| avieira |
| Posted: Thu Aug 11, 2016 5:11 am Post subject: |
|
|
Newbie
Joined: 11 Aug 2016
Posts: 5
|
Once I noticed this problem, instead of replacing the jar files I edited them. The policy file that restricts the key sizes is found on the local_policy.jar and is named default_local.policy. Here are its contents:
grant {
permission javax.crypto.CryptoPermission "DES", 64;
permission javax.crypto.CryptoPermission "DESede", *;
permission javax.crypto.CryptoPermission "RC2", 128,
"javax.crypto.spec.RC2ParameterSpec", 128;
permission javax.crypto.CryptoPermission "RC4", 128;
permission javax.crypto.CryptoPermission "RC5", 128,
"javax.crypto.spec.RC5ParameterSpec", *, 12, *;
permission javax.crypto.CryptoPermission "RSA", 2048;
permission javax.crypto.CryptoPermission *, 128;
};
I basically replaced the number in last line with 256, but I keep getting the same "NoClassDefFoundError".
I've tried looking for some documentation of the IBM J9 VM we're using, to check if AES 256 is supported, but I couldn't find anything relevant.
I'm aware this is a highly specific question to an old version of WMB but some ideas/directions would be very helpful.
Thank you |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
