Topic
8 replies Latest Post - ‏2010-08-24T14:30:51Z by SystemAdmin
shyamalp
shyamalp
5 Posts
ACCEPTED ANSWER

Pinned topic problem with FIPS mode in IBM JDK 1.6

‏2010-08-23T12:18:34Z |
I had posted this in the IBM Runtimes forum, but later realize this might be the right forum so posting it here:

Hi,

I have the IBM JDK 1.6 as available from the IBM eclipse development package.
I am trying to make SSL connections in the FIPS mode by following the instructions at

http://www.ibm.com/developerworks/java/jdk/security/142/secguides/jsse2docs/JSSE2RefGuide.html#RunFIPS

to enable FIPS mode in IBMJSSE2.
The SSL connection fails with the following exception:

javax.net.ssl.SSLKeyException: RSA premaster secret error
at com.ibm.jsse2.fb.<init>(fb.java:62)
at com.ibm.jsse2.hb.a(hb.java:201)
at com.ibm.jsse2.hb.a(hb.java:103)
at com.ibm.jsse2.gb.n(gb.java:300)
at com.ibm.jsse2.gb.a(gb.java:78)
at com.ibm.jsse2.sc.a(sc.java:104)
at com.ibm.jsse2.sc.g(sc.java:46)
at com.ibm.jsse2.sc.a(sc.java:530)
at com.ibm.jsse2.sc.startHandshake(sc.java:601)
at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:126)
at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:49)
at com.ibm.net.ssl.www2.protocol.https.b.connect(b.java:23)
at com.symantec.sim.app.SimApplication.validateIP(SimApplication.java:916)
at com.symantec.sim.app.SimApplication$2.construct(SimApplication.java:646)
at com.symantec.sim.uilib.util.SwingWorker$2.run(SwingWorker.java:176)
at java.lang.Thread.run(Thread.java:735)
Caused by: java.security.NoSuchAlgorithmException: no such algorithm: IbmTlsRsaPremasterSecret for provider IBMJCEFIPS
at sun.security.jca.GetInstance.getService(GetInstance.java:144)
at javax.crypto.b.a(Unknown Source)
at javax.crypto.KeyGenerator.getInstance(Unknown Source)
at com.ibm.jsse2.pb.d(pb.java:103)
at com.ibm.jsse2.fb.<init>(fb.java:56)
... 15 more

The "IbmTlsRsaPremasterSecret" KeyGenerator is actually a part of the IBMJCE provider, and not IBMJCEFIPS provider.
Is this a bug in the IBMJSSE2? The same thing worked with the 1.4.2 runtime.

Thanks,
Shyamal
Updated on 2010-08-24T14:30:51Z at 2010-08-24T14:30:51Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    2262 Posts
    ACCEPTED ANSWER

    Re: problem with FIPS mode in IBM JDK 1.6

    ‏2010-08-23T12:45:00Z  in response to shyamalp
    Please use the security guide corresponding to the JDK version you're using, i.e. http://www.ibm.com/developerworks/java/jdk/security/60/secguides/jsse2Docs/JSSE2RefGuide.html#enablefips

    Although instructions for enabling FIPS are the same, there are changes to the algorithms supported between JDK versions, as well as some provider names.
    Also ensure that you haven't removed the IBMJCE provider from the list, since it is required.
    • shyamalp
      shyamalp
      5 Posts
      ACCEPTED ANSWER

      Re: problem with FIPS mode in IBM JDK 1.6

      ‏2010-08-23T14:25:20Z  in response to SystemAdmin
      Yes as you said, the instructions to enable the FIPS mode haven't changed, and I have followed the same instructions, including keeping the IBMJCE provider. I still get the same exception though.

      Attached is the code snippet that is used to setup SSL. We use javax.net.ssl.HttpsURLConnection for https.

      Thanks for your help,
      Shyamal
      • shyamalp
        shyamalp
        5 Posts
        ACCEPTED ANSWER

        Re: problem with FIPS mode in IBM JDK 1.6

        ‏2010-08-24T13:18:01Z  in response to shyamalp
        Finally I figured out what the problem was.
        The windows IBM SDK shipped with the eclipse development package has an older IBMJCEFIPS provider which does not contain the IbmTlsRsaPremasterSecret and other such algorithms.

        When I replaced this provider with the jar from a Linux IBM SDK, things worked. The IBMJCEFIPS provider with this version is 1.31, whereas for the windows sdk it was 1.2.

        Is this problem fixed in the windows IBM SDK in some later version, and is that available?
        • SystemAdmin
          SystemAdmin
          2262 Posts
          ACCEPTED ANSWER

          Re: problem with FIPS mode in IBM JDK 1.6

          ‏2010-08-24T13:26:30Z  in response to shyamalp
          The latest release of IBM JDK 6 is SR8. The developer package for Eclipse appears to ship with Java 5.0 - hence the difference. Please check the full java -version of both SDKs - the Linux SDK you used may be a newer service refresh that has updated providers.
          • shyamalp
            shyamalp
            5 Posts
            ACCEPTED ANSWER

            Re: problem with FIPS mode in IBM JDK 1.6

            ‏2010-08-24T14:09:18Z  in response to SystemAdmin
            Actually the one shipped with 3.0 is 1.6:
            java version "1.6.0"
            Java(TM) SE Runtime Environment (build pwi3260sr1-20080416_01(SR1))
            IBM J9 VM (build 2.4, J2RE 1.6.0 IBM J9 2.4 Windows XP x86-32 jvmwi3260-20080415
            _18762 (JIT enabled, AOT enabled)
            J9VM - 20080415_018762_lHdSMr
            JIT - r9_20080415_1520
            GC - 20080415_AA)
            JCL - 20080412_01
            • SystemAdmin
              SystemAdmin
              2262 Posts
              ACCEPTED ANSWER

              Re: problem with FIPS mode in IBM JDK 1.6

              ‏2010-08-24T14:17:09Z  in response to shyamalp
              The current latest available release of IBM JDK 6 is SR8 FP1-
              Java(TM) SE Runtime Environment (build pwi3260sr8fp1-20100624_01(SR8 FP1))
              IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Windows XP x86-32 jvmwi3260sr8ifx-201
              00609_59383 (JIT enabled, AOT enabled)
              J9VM - 20100609_059383
              JIT - r9_20100401_15339ifx2
              GC - 20100308_AA)
              JCL - 20100624_01

              We have updated the security codebase in the 2 years since SR1 was released, hence the mismatch in providers.
              • shyamalp
                shyamalp
                5 Posts
                ACCEPTED ANSWER

                Re: problem with FIPS mode in IBM JDK 1.6

                ‏2010-08-24T14:19:24Z  in response to SystemAdmin
                How can I get the latest version of the sdk?
                • SystemAdmin
                  SystemAdmin
                  2262 Posts
                  ACCEPTED ANSWER

                  Re: problem with FIPS mode in IBM JDK 1.6

                  ‏2010-08-24T14:30:51Z  in response to shyamalp
                  Unfortunately you can get hold of the JDK only as part of another IBM product (say, Websphere or any Rational product) that you purchased. Our licensing agreement with Sun/Oracle forbids us from providing direct downloads of the IBM JDK on any platforms that Oracle/Sun also support (namely Windows and Linux). If you look at the Java downloads section of the developerWorks website, you'll only find SDKs for AIX, z/OS and Linux on System p/z, since those are IBM owned platforms that Oracle doesn't support.

                  Since the JDK is shipped along with Websphere/Rational/Tivoli products, you can use it if you already have one of them deployed(though even then you may have SR8 FP1, unless you also install the very latest fix packs for those products).