IBM Support

SSLKeyException when connecting to adapter over SSL after installing new certificate

Technote (troubleshooting)


Problem(Abstract)

After installing a new SSL certificate, the connection now fails between ISIM and ITDI, or ITDI and its target endpoint. This technote only addresses the situation where the new certificate has a key larger than 2048-bits.

Symptom

The logs show the following error:

javax.net.ssl.SSLKeyException: RSA premaster secret error


Cause

The IBM SDK ships with strong but limited jurisdiction policy files. United States federal law places restrictions on the level of encryption that can be freely exported. The IBM SDK complies with these restrictions, which means it only supports SSL keys of 2048-bits or less. Many keys are now being created with larger keys (e.g. 4096-bits), which will not work with the default settings.


Diagnosing the problem

The "Developerworks Forum Discussion" link below presents an example of where this problem was seen and the suggestions made to resolve it.

Resolving the problem

The solution is to download and install the unlimited jurisdiction policy files. For those in the United States and other eligible countries, please visit the "IBM SDK Policy FIles" link below to download the updates policy files.

After downloading the package for "Unrestricted JCE Policy files for SDK for all newer versions 1.42+", copy the new "US_export_policy.jar" and "local_policy.jar" to the $JAVA_HOME/jre/lib/security directory. You must restart the JVM for the changes to take effect.

If you installed the new certificate on an endpoint managed by ITDI, then you would need to apply this change to the $ITDI_HOME/jvm/jre/lib/security. If you installed the new certificate in ITDI itself for SSL communication between ITDI and ISIM, then you would need to apply the new files to both the ITDI JVM and the ISIM JVM in $WAS_HOME/AppServer/java/jre/lib/security, and restart both ITDI and WebSphere. Also, this change must be made on ALL ITDI instances and ISIM cluster nodes that will be communicating with this new certificate.

Related information

Developerworks Forum Discussion
IBM SDK Policy Files

Product Alias/Synonym

enrole tim itim isim sim

Document information

More support for: IBM Security Identity Manager
Adapters

Software version: 5.1, 6.0

Operating system(s): AIX, Linux, Solaris, Windows

Software edition: Enterprise

Reference #: 1625723

Modified date: 15 February 2013