SSLKeyException when connecting to adapter over SSL after installing new certificate
After installing a new SSL certificate, the connection now fails between ISIM and ITDI, or ITDI and its target endpoint. This technote only addresses the situation where the new certificate has a key larger than 2048-bits.
The logs show the following error:
javax.net.ssl.SSLKeyException: RSA premaster secret error
The IBM SDK ships with strong but limited jurisdiction policy files. United States federal law places restrictions on the level of encryption that can be freely exported. The IBM SDK complies with these restrictions, which means it only supports SSL keys of 2048-bits or less. Many keys are now being created with larger keys (e.g. 4096-bits), which will not work with the default settings.
Diagnosing the problem
The "Developerworks Forum Discussion" link below presents an example of where this problem was seen and the suggestions made to resolve it.
Resolving the problem
The solution is to download and install the unlimited jurisdiction policy files. For those in the United States and other eligible countries, please visit the "IBM SDK Policy FIles" link below to download the updates policy files.
After downloading the package for "Unrestricted JCE Policy files for SDK for all newer versions 1.42+", copy the new "US_export_policy.jar" and "local_policy.jar" to the $JAVA_HOME/jre/lib/security directory. You must restart the JVM for the changes to take effect.
If you installed the new certificate on an endpoint managed by ITDI, then you would need to apply this change to the $ITDI_HOME/jvm/jre/lib/security. If you installed the new certificate in ITDI itself for SSL communication between ITDI and ISIM, then you would need to apply the new files to both the ITDI JVM and the ISIM JVM in $WAS_HOME/AppServer/java/jre/lib/security, and restart both ITDI and WebSphere. Also, this change must be made on ALL ITDI instances and ISIM cluster nodes that will be communicating with this new certificate.
enrole tim itim isim sim
More support for:
IBM Security Identity Manager
Software version: 5.1, 6.0
Operating system(s): AIX, Linux, Solaris, Windows
Software edition: Enterprise
Reference #: 1625723
Modified date: 15 February 2013