Question & Answer
Question
After configuring DB2 for SERVER_ENCRYPT or DATA_ENCRYPT authentication my Java applications running from Oracle JVM fail to connect. How do I configure the Oracle JVM, JCC driver, and DB2 encryption?
Cause
The following symptoms may present themselves when the Oracle JVM, JCC driver, and DB2 instance are not properly configured for encryption algorithms.
- After configuring DB2 for SERVER_ENCRYPT JCC applications running from Oracle JVM may fail with ....
com.ibm.db2.jcc.am.SqlException: [jcc][1071][10615][4.21.29] Caught java.security.InvalidAlgorithmParameterException while initializing EncryptionManager. See attached Throwable for details. ERRORCODE=-4223, SQLSTATE=null
at com.ibm.db2.jcc.am.kd.a(kd.java:794)
at com.ibm.db2.jcc.am.kd.a(kd.java:66)
at com.ibm.db2.jcc.am.kd.a(kd.java:98)
at com.ibm.db2.jcc.am.wc.a(wc.java:152)
at com.ibm.db2.jcc.t4.b.v(b.java:2896)
at com.ibm.db2.jcc.t4.b.b(b.java:832)
at com.ibm.db2.jcc.t4.b.a(b.java:785)
at com.ibm.db2.jcc.t4.b.a(b.java:430)
at com.ibm.db2.jcc.t4.b.a(b.java:403)
at com.ibm.db2.jcc.t4.b.<init>(b.java:341)
at com.ibm.db2.jcc.t4.T4XAConnection.<init>(T4XAConnection.java:32)
at com.ibm.db2.jcc.DB2PooledConnection.<init>(DB2PooledConnection.java:198)
at com.ibm.db2.jcc.DB2XAConnection.<init>(DB2XAConnection.java:105)
at com.ibm.db2.jcc.DB2XADataSource.getXAConnection(DB2XADataSource.java:166)
- After configuring DB2 for DATA_ENCRYPT JCC applications running from Oracle JVM may fail with ....
com.ibm.db2.jcc.am.SqlException: [jcc][1071][10615][4.12.98] Caught java.security.InvalidAlgorithmParameterException while initializing EncryptionManager. See attached Throwable for details. ERRORCODE=-4223, SQLSTATE=null
at com.ibm.db2.jcc.am.hd.a(hd.java:660)
at com.ibm.db2.jcc.am.hd.a(hd.java:60)
at com.ibm.db2.jcc.am.hd.a(hd.java:85)
at com.ibm.db2.jcc.am.tc.a(tc.java:152)
at com.ibm.db2.jcc.t4.b.ld(b.java:2467)
at com.ibm.db2.jcc.t4.b.d(b.java:749)
at com.ibm.db2.jcc.t4.b.c(b.java:703)
at com.ibm.db2.jcc.t4.b.a(b.java:391)
at com.ibm.db2.jcc.t4.b.<init>(b.java:320)
at com.ibm.db2.jcc.DB2SimpleDataSource.getConnection(DB2SimpleDataSource.java:214)
at com.ibm.db2.jcc.DB2Driver.connect(DB2Driver.java:460)
at java.sql.DriverManager.getConnection(DriverManager.java:582)
at java.sql.DriverManager.getConnection(DriverManager.java:154)
at db2_driver_test.testConnection(Unknown Source)
at db2_driver_test.main(Unknown Source)
Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)
at com.sun.crypto.provider.DHKeyPairGenerator.initialize(DashoA13*..)
at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:627)
at java.security.KeyPairGenerator.initialize(KeyPairGenerator.java:369
at com.ibm.db2.jcc.am.tc.a(tc.java:141)
- If the (JCE) Unlimited Strength Jurisdiction Policy file is missing from the JVM then the following exception may be observed:
com.ibm.db2.jcc.am.SqlException: [jcc][1068][10625][4.15.82] Caught java.security.InvalidKeyException while encrypting data. See attached Throwable for details. ERRORCODE=-4221, SQLSTATE=null
at com.ibm.db2.jcc.am.fd.a(fd.java:680)
at com.ibm.db2.jcc.am.fd.a(fd.java:60)
at com.ibm.db2.jcc.am.fd.a(fd.java:85)
at com.ibm.db2.jcc.am.rc.a(rc.java:557)
at com.ibm.db2.jcc.am.rc.a(rc.java:497)
at com.ibm.db2.jcc.t4.b.h(b.java:2837)
at com.ibm.db2.jcc.t4.b.a(b.java:6491)
at com.ibm.db2.jcc.t4.b.b(b.java:844)
at com.ibm.db2.jcc.t4.b.a(b.java:761)
at com.ibm.db2.jcc.t4.b.a(b.java:424)
at com.ibm.db2.jcc.t4.b.a(b.java:399)
at com.ibm.db2.jcc.t4.b.<init>(b.java:337)
at com.ibm.db2.jcc.DB2SimpleDataSource.getConnection(DB2SimpleDataSource.java:232)
at com.ibm.db2.jcc.DB2SimpleDataSource.getConnection(DB2SimpleDataSource.java:198)
at com.ibm.db2.jcc.DB2Driver.connect(DB2Driver.java:475)
at com.ibm.db2.jcc.DB2Driver.connect(DB2Driver.java:116)
at java.sql.DriverManager.getConnection(DriverManager.java:571)
at java.sql.DriverManager.getConnection(DriverManager.java:215)
at ConnectSample.main(ConnectSample.java:10)
Caused by: java.security.InvalidKeyException: Illegal key size
at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1024)
at javax.crypto.Cipher.implInit(Cipher.java:790)
at javax.crypto.Cipher.chooseProvider(Cipher.java:849)
at javax.crypto.Cipher.init(Cipher.java:1348)
at javax.crypto.Cipher.init(Cipher.java:1282)
at com.ibm.db2.jcc.am.rc.a(rc.java:552)
... 15 more
Answer
To use AES, install the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy" files from Oracle.
For SERVER_ENCRYPT authentication, configure both DB2 and the JCC driver for AES encryption instead of the default DES.
- Set the ALTERNATE_AUTH_ENC database manager configuration parameter to a value of AES_CMP or AES_ONLY
- Set thee JCC datasource properties securityMechanism and encryptiongAlgortihm.
securityMechanism=9
encryptionAlgorithm=2
For DATA_ENCRYPT authentication refer to the following technote.
Using authentication type DATA_ENCRYPT with ORACLE Java
http://www-01.ibm.com/support/docview.wss?uid=swg21665861
[{"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Programming Interface - JCC","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"10.1;10.5;9.7","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg22003870