IBM Support

Error importing PKCS#12 file: "The specified database has been corrupted"

Technote (troubleshooting)


Problem(Abstract)

When using iKeyman, the message "The specified database has been corrupted" can be received when importing a PKCS #12 file created by OpenSSL.

Symptom

If iKeyman shows the "The specified database has been corrupted" error during import, it is possible the PKCS#12 file uses an encryption method that is not available in the default JCE policy files provided by the IBM Java used by iKeyman.


Cause

To verify this is the case, run the following test:

<TDI>V6.1.1\jvm\jre\bin\keytool -list -v -keystore /tmp/mycert.p12 -storetype pkcs12 -storepass password

...java.io.IOException: Private key decryption error: (java.lang.SecurityException: Unsupported keysize or algorithm parameters)


Resolving the problem

To resolve this, download the unrestricted IBM JCE policy files for IBM JVM 1.4.2+ (US_export_policy.jar and local_policy.jar) from IBM. Unrestricted policy files are the same for 1.4.2 and 1.5.0 IBM JVMs.


In order to enable strong encryption, you need to download and install policy files from IBM developerWorks that allow this feature. This involves acceptance of licensing terms.

The steps to enable strong encryption are as follow:-

1) Go to the developerWorks Java Technology Security page at URL:- http://www.ibm.com/developerworks/java/jdk/security/

2) Click on the "J2SE 5.0" link since this is the JRE version for all variants of TDI 6.1.x.

3) Scroll down on the resulting page and click on the "IBM SDK Policy files" link.

4) This will take you to the "Unrestricted JCE Policy files" page. If you already have an IBM ID and password, click on the "Sign in" link. Otherwise, click on the "register now" link to create an ID.

5) On the Sign in page, supply your IBM ID and Password.

6) Select "Unrestricted JCE Policy files for SDK for all newer versions 1.4.2+" and click on Continue.

7) Scroll down to the License portion of the resulting page and click on the View license link to see the licensing terms for the download.

8) If the licensing terms are acceptable, check "I agree" and click on the "I confirm" link. If the terms are not acceptable, you will not be able to enable strong encryption and should click "I cancel".

9) Click on the Download now link to download the unrestricted.zip file.

10) Extract the local_policy.jar and US_export_policy.jar files from the unrestricted.zip archive.

11) Place these two files in the <TDI>V6.1.1\jvm\jre\lib\security directory, replacing the existing files with the same names. For a default installation, the directory would be C:\Program Files\IBM\TDI\V6.1.1\jvm\jre\lib\security.

13) The next start of TDI will utilize the new policy files.

Historical Number

20125
442
000

Document information

More support for: IBM Security Directory Integrator
General

Software version: 6.1.1

Operating system(s): Platform Independent

Reference #: 1329670

Modified date: 23 January 2009


Translate this page: