Topic
  • 9 replies
  • Latest Post - ‏2002-06-18T20:05:02Z by SystemAdmin
SystemAdmin
SystemAdmin
2262 Posts

Pinned topic Cannot set up certs for trusted CAs

‏2001-09-21T11:48:19Z |
Hi

I´m getting this error when using IBM J2RE 1.3.0, everything worked fine with
the JDK1.3 from SUN:

java.lang.ExceptionInInitializerError: java.lang.SecurityException: Cannot set
up certs for trusted CAs
at javax.crypto.JceSecurity.<clinit> Unknown Source)
at javax.crypto.KeyGenerator.getInstance(Unknown Source)

Any ideas?
Updated on 2002-06-18T20:05:02Z at 2002-06-18T20:05:02Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    2262 Posts

    RE: Cannot set up certs for trusted CAs

    ‏2002-06-18T20:03:16Z  
    I have the same problem and have not found a solution. It occurs when I am
    trying to read a PFX file and validate the MAC, or trying to do anything
    related to encryption/decryption ... i.e. when I call Cipher.getInstance(), or
    as you mentioned, trying to generate keys.

    There are several things that I tried to solve this problem:
    1) I installed the certificate from my in-house CA that issues the certificates
    that I am using for testing. I put this certificate into the keystore.
    2) I edited the java.policy file to put in the proper location of the keystore
    ... i.e. something like this
    keystore "file:C:/ProgramFiles/IBM/Java13/jre/lib/security/cacerts", "JKS";
    3) Added JCE as a security provider of course. I did this in java.security and
    also in the source code.
    4) I also went through the Netscape procedure for installing my CA certificate
    with no problems.

    It seems if we can at least find out what the error message actually means, we
    can find a way to solve it!
    Updated on 2002-06-18T20:03:16Z at 2002-06-18T20:03:16Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    2262 Posts

    RE: Cannot set up certs for trusted CAs

    ‏2002-06-18T20:03:20Z  
    Not that this is a solution but it gives some area of investigation:

    We have a NT client base as well as a Sun/Solaris client base. Just for
    laughs, I used the IBM JARs on my Unix workstation with the SUN JDK1.3.1 and
    everything worked perfectly!!!

    I could read not only *.P12 (PFX) files, but X509 certificate files and PKCS8
    private key files in either DER or PEM encoding.

    Also, I was able to use the Cipher classes to encrypt and decrypt, etc. The
    world is a happy place on Unix.

    I did have to manually convert the Java keys into Ibm format keys, which took a
    good while to figure out ... in other words:

    Using an instance of
    java.security.interfaces.RSAPublicKey()
    that I got from the P12 file or X509 certificate, I created an instance of
    com.ibm.crypto.provider.RSAPublicKey()

    Otherwise, trying to get an instance of any Ciper gave me a "bad key encoding"
    exception.

    I then decided to try the same thing on NT ... use SUNs JDK 1.3.1 instead of
    the JDK that came with the IBM package. Nada on the *.P12 files. Seems that I
    can not extract any certificates from the P12 ... or none are found. I am
    still trying to see if I can find a way around this issues ... but if no one is
    interested in this any further, I'll take it offline .........
    Contact me if you like using rdawkins@atdsprint.com

    Thanks!
    Updated on 2002-06-18T20:03:20Z at 2002-06-18T20:03:20Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    2262 Posts

    RE: Cannot set up certs for trusted CAs

    ‏2002-06-18T20:03:23Z  
    Not that this is a solution but it gives some area of investigation:

    We have a NT client base as well as a Sun/Solaris client base. Just for
    laughs, I used the IBM JARs on my Unix workstation with the SUN JDK1.3.1 and
    everything worked perfectly!!!

    I could read not only *.P12 (PFX) files, but X509 certificate files and PKCS8
    private key files in either DER or PEM encoding.

    Also, I was able to use the Cipher classes to encrypt and decrypt, etc. The
    world is a happy place on Unix.

    I did have to manually convert the Java keys into Ibm format keys, which took a
    good while to figure out ... in other words:

    Using an instance of
    java.security.interfaces.RSAPublicKey()
    that I got from the P12 file or X509 certificate, I created an instance of
    com.ibm.crypto.provider.RSAPublicKey()

    Otherwise, trying to get an instance of any Ciper gave me a "bad key encoding"
    exception.

    I then decided to try the same thing on NT ... use SUNs JDK 1.3.1 instead of
    the JDK that came with the IBM package. Nada on the *.P12 files. Seems that I
    can not extract any certificates from the P12 ... or none are found. I am
    still trying to see if I can find a way around this issues ... but if no one is
    interested in this any further, I'll take it offline .........
    Contact me if you like using rdawkins@atdsprint.com

    Thanks!
    There are 2 posible soutions:

    1)Make sure that all 4 jars are in the same directory or classpath
    ibmjcefw.jar, ibmjceprovider.jar, local_policy.jar and US_export_policy.jar

    2)There is a "bug" in the JDK level that has problems dealing with spaces in a
    URL, so if you have the above files in a path that has spaces (i.e. c:\program
    file\IBM\Java13) then that will cause problems when the JCE framework verifies
    the provider and the JCE provider verifies the framework. There is s fix in JCE
    to get around the JDK issue. The work around is to not have a space in the path
    where the JCE files are placed
    Updated on 2002-06-18T20:03:23Z at 2002-06-18T20:03:23Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    2262 Posts

    RE: Cannot set up certs for trusted CAs

    ‏2002-06-18T20:03:23Z  
    There are 2 posible soutions:

    1)Make sure that all 4 jars are in the same directory or classpath
    ibmjcefw.jar, ibmjceprovider.jar, local_policy.jar and US_export_policy.jar

    2)There is a "bug" in the JDK level that has problems dealing with spaces in a
    URL, so if you have the above files in a path that has spaces (i.e. c:\program
    file\IBM\Java13) then that will cause problems when the JCE framework verifies
    the provider and the JCE provider verifies the framework. There is s fix in JCE
    to get around the JDK issue. The work around is to not have a space in the path
    where the JCE files are placed
    Yes, it works! I moved the IBM install out of C:\Program Files, and the rest
    is history. Thanks for the words of wisdom. Now why does IBM install to a
    default of "C:\Program Files\<etc>" ?
    Updated on 2002-06-18T20:03:23Z at 2002-06-18T20:03:23Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    2262 Posts

    RE: Cannot set up certs for trusted CAs

    ‏2002-06-18T20:04:27Z  
    Yes, it works! I moved the IBM install out of C:\Program Files, and the rest
    is history. Thanks for the words of wisdom. Now why does IBM install to a
    default of "C:\Program Files\<etc>" ?
    Well the Sun introduced this bug in a JDK level, so this is left up to
    application that use URLs to fix instead of backing out the fix in the JVM !
    Updated on 2002-06-18T20:04:27Z at 2002-06-18T20:04:27Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    2262 Posts

    RE: Cannot set up certs for trusted CAs

    ‏2002-06-18T20:04:30Z  
    Well the Sun introduced this bug in a JDK level, so this is left up to
    application that use URLs to fix instead of backing out the fix in the JVM !
    Hi,
    I made sure there are no spaces in the url, i'm still experiencing the problem
    however.
    Please help.

    Dmitry
    Updated on 2002-06-18T20:04:30Z at 2002-06-18T20:04:30Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    2262 Posts

    RE: Cannot set up certs for trusted CAs

    ‏2002-06-18T20:04:30Z  
    Hi,
    I made sure there are no spaces in the url, i'm still experiencing the problem
    however.
    Please help.

    Dmitry
    Not the URL but the path that in the ibmjcefw.jar
    ibmjceprovider.jar
    local_policy.jar
    US_export_policy.jar

    must not have spaces
    Updated on 2002-06-18T20:04:30Z at 2002-06-18T20:04:30Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    2262 Posts

    RE: Cannot set up certs for trusted CAs

    ‏2002-06-18T20:04:30Z  
    Not the URL but the path that in the ibmjcefw.jar
    ibmjceprovider.jar
    local_policy.jar
    US_export_policy.jar

    must not have spaces
    Thanks for responding so promptly....
    I'm actually using the Sun jars,
    jce1_2_1.jar
    sunjce_provider.jar
    local_policy.jar
    US_export_policy.jar

    I imported the packages from the jars into VisualAge into project JCE.

    I made sure there are no spaces in the path to the JCE project. Am I doing
    something wrong?

    Thanks,
    Dmitry
    Updated on 2002-06-18T20:04:30Z at 2002-06-18T20:04:30Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    2262 Posts

    RE: Cannot set up certs for trusted CAs

    ‏2002-06-18T20:05:02Z  
    Thanks for responding so promptly....
    I'm actually using the Sun jars,
    jce1_2_1.jar
    sunjce_provider.jar
    local_policy.jar
    US_export_policy.jar

    I imported the packages from the jars into VisualAge into project JCE.

    I made sure there are no spaces in the path to the JCE project. Am I doing
    something wrong?

    Thanks,
    Dmitry
    We don't support the Sun JCE code but can try to provide help.

    Is the JCE code in the EXT directory or on the classpath ?
    Updated on 2002-06-18T20:05:02Z at 2002-06-18T20:05:02Z by SystemAdmin