Topic
  • 8 replies
  • Latest Post - ‏2010-08-24T14:30:51Z by SystemAdmin
shyamalp
shyamalp
5 Posts

Pinned topic problem with FIPS mode in IBM JDK 1.6

‏2010-08-23T12:18:34Z |
I had posted this in the IBM Runtimes forum, but later realize this might be the right forum so posting it here:

Hi,

I have the IBM JDK 1.6 as available from the IBM eclipse development package.
I am trying to make SSL connections in the FIPS mode by following the instructions at

http://www.ibm.com/developerworks/java/jdk/security/142/secguides/jsse2docs/JSSE2RefGuide.html#RunFIPS

to enable FIPS mode in IBMJSSE2.
The SSL connection fails with the following exception:

javax.net.ssl.SSLKeyException: RSA premaster secret error
at com.ibm.jsse2.fb.<init>(fb.java:62)
at com.ibm.jsse2.hb.a(hb.java:201)
at com.ibm.jsse2.hb.a(hb.java:103)
at com.ibm.jsse2.gb.n(gb.java:300)
at com.ibm.jsse2.gb.a(gb.java:78)
at com.ibm.jsse2.sc.a(sc.java:104)
at com.ibm.jsse2.sc.g(sc.java:46)
at com.ibm.jsse2.sc.a(sc.java:530)
at com.ibm.jsse2.sc.startHandshake(sc.java:601)
at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:126)
at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:49)
at com.ibm.net.ssl.www2.protocol.https.b.connect(b.java:23)
at com.symantec.sim.app.SimApplication.validateIP(SimApplication.java:916)
at com.symantec.sim.app.SimApplication$2.construct(SimApplication.java:646)
at com.symantec.sim.uilib.util.SwingWorker$2.run(SwingWorker.java:176)
at java.lang.Thread.run(Thread.java:735)
Caused by: java.security.NoSuchAlgorithmException: no such algorithm: IbmTlsRsaPremasterSecret for provider IBMJCEFIPS
at sun.security.jca.GetInstance.getService(GetInstance.java:144)
at javax.crypto.b.a(Unknown Source)
at javax.crypto.KeyGenerator.getInstance(Unknown Source)
at com.ibm.jsse2.pb.d(pb.java:103)
at com.ibm.jsse2.fb.<init>(fb.java:56)
... 15 more

The "IbmTlsRsaPremasterSecret" KeyGenerator is actually a part of the IBMJCE provider, and not IBMJCEFIPS provider.
Is this a bug in the IBMJSSE2? The same thing worked with the 1.4.2 runtime.

Thanks,
Shyamal
Updated on 2010-08-24T14:30:51Z at 2010-08-24T14:30:51Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: problem with FIPS mode in IBM JDK 1.6

    ‏2010-08-23T12:45:00Z  
    Please use the security guide corresponding to the JDK version you're using, i.e. http://www.ibm.com/developerworks/java/jdk/security/60/secguides/jsse2Docs/JSSE2RefGuide.html#enablefips

    Although instructions for enabling FIPS are the same, there are changes to the algorithms supported between JDK versions, as well as some provider names.
    Also ensure that you haven't removed the IBMJCE provider from the list, since it is required.
  • shyamalp
    shyamalp
    5 Posts

    Re: problem with FIPS mode in IBM JDK 1.6

    ‏2010-08-23T14:25:20Z  
    Please use the security guide corresponding to the JDK version you're using, i.e. http://www.ibm.com/developerworks/java/jdk/security/60/secguides/jsse2Docs/JSSE2RefGuide.html#enablefips

    Although instructions for enabling FIPS are the same, there are changes to the algorithms supported between JDK versions, as well as some provider names.
    Also ensure that you haven't removed the IBMJCE provider from the list, since it is required.
    Yes as you said, the instructions to enable the FIPS mode haven't changed, and I have followed the same instructions, including keeping the IBMJCE provider. I still get the same exception though.

    Attached is the code snippet that is used to setup SSL. We use javax.net.ssl.HttpsURLConnection for https.

    Thanks for your help,
    Shyamal
  • shyamalp
    shyamalp
    5 Posts

    Re: problem with FIPS mode in IBM JDK 1.6

    ‏2010-08-24T13:18:01Z  
    • shyamalp
    • ‏2010-08-23T14:25:20Z
    Yes as you said, the instructions to enable the FIPS mode haven't changed, and I have followed the same instructions, including keeping the IBMJCE provider. I still get the same exception though.

    Attached is the code snippet that is used to setup SSL. We use javax.net.ssl.HttpsURLConnection for https.

    Thanks for your help,
    Shyamal
    Finally I figured out what the problem was.
    The windows IBM SDK shipped with the eclipse development package has an older IBMJCEFIPS provider which does not contain the IbmTlsRsaPremasterSecret and other such algorithms.

    When I replaced this provider with the jar from a Linux IBM SDK, things worked. The IBMJCEFIPS provider with this version is 1.31, whereas for the windows sdk it was 1.2.

    Is this problem fixed in the windows IBM SDK in some later version, and is that available?
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: problem with FIPS mode in IBM JDK 1.6

    ‏2010-08-24T13:26:30Z  
    • shyamalp
    • ‏2010-08-24T13:18:01Z
    Finally I figured out what the problem was.
    The windows IBM SDK shipped with the eclipse development package has an older IBMJCEFIPS provider which does not contain the IbmTlsRsaPremasterSecret and other such algorithms.

    When I replaced this provider with the jar from a Linux IBM SDK, things worked. The IBMJCEFIPS provider with this version is 1.31, whereas for the windows sdk it was 1.2.

    Is this problem fixed in the windows IBM SDK in some later version, and is that available?
    The latest release of IBM JDK 6 is SR8. The developer package for Eclipse appears to ship with Java 5.0 - hence the difference. Please check the full java -version of both SDKs - the Linux SDK you used may be a newer service refresh that has updated providers.
  • shyamalp
    shyamalp
    5 Posts

    Re: problem with FIPS mode in IBM JDK 1.6

    ‏2010-08-24T14:09:18Z  
    The latest release of IBM JDK 6 is SR8. The developer package for Eclipse appears to ship with Java 5.0 - hence the difference. Please check the full java -version of both SDKs - the Linux SDK you used may be a newer service refresh that has updated providers.
    Actually the one shipped with 3.0 is 1.6:
    java version "1.6.0"
    Java(TM) SE Runtime Environment (build pwi3260sr1-20080416_01(SR1))
    IBM J9 VM (build 2.4, J2RE 1.6.0 IBM J9 2.4 Windows XP x86-32 jvmwi3260-20080415
    _18762 (JIT enabled, AOT enabled)
    J9VM - 20080415_018762_lHdSMr
    JIT - r9_20080415_1520
    GC - 20080415_AA)
    JCL - 20080412_01
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: problem with FIPS mode in IBM JDK 1.6

    ‏2010-08-24T14:17:09Z  
    • shyamalp
    • ‏2010-08-24T14:09:18Z
    Actually the one shipped with 3.0 is 1.6:
    java version "1.6.0"
    Java(TM) SE Runtime Environment (build pwi3260sr1-20080416_01(SR1))
    IBM J9 VM (build 2.4, J2RE 1.6.0 IBM J9 2.4 Windows XP x86-32 jvmwi3260-20080415
    _18762 (JIT enabled, AOT enabled)
    J9VM - 20080415_018762_lHdSMr
    JIT - r9_20080415_1520
    GC - 20080415_AA)
    JCL - 20080412_01
    The current latest available release of IBM JDK 6 is SR8 FP1-
    Java(TM) SE Runtime Environment (build pwi3260sr8fp1-20100624_01(SR8 FP1))
    IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Windows XP x86-32 jvmwi3260sr8ifx-201
    00609_59383 (JIT enabled, AOT enabled)
    J9VM - 20100609_059383
    JIT - r9_20100401_15339ifx2
    GC - 20100308_AA)
    JCL - 20100624_01

    We have updated the security codebase in the 2 years since SR1 was released, hence the mismatch in providers.
  • shyamalp
    shyamalp
    5 Posts

    Re: problem with FIPS mode in IBM JDK 1.6

    ‏2010-08-24T14:19:24Z  
    The current latest available release of IBM JDK 6 is SR8 FP1-
    Java(TM) SE Runtime Environment (build pwi3260sr8fp1-20100624_01(SR8 FP1))
    IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Windows XP x86-32 jvmwi3260sr8ifx-201
    00609_59383 (JIT enabled, AOT enabled)
    J9VM - 20100609_059383
    JIT - r9_20100401_15339ifx2
    GC - 20100308_AA)
    JCL - 20100624_01

    We have updated the security codebase in the 2 years since SR1 was released, hence the mismatch in providers.
    How can I get the latest version of the sdk?
  • SystemAdmin
    SystemAdmin
    2262 Posts

    Re: problem with FIPS mode in IBM JDK 1.6

    ‏2010-08-24T14:30:51Z  
    • shyamalp
    • ‏2010-08-24T14:19:24Z
    How can I get the latest version of the sdk?
    Unfortunately you can get hold of the JDK only as part of another IBM product (say, Websphere or any Rational product) that you purchased. Our licensing agreement with Sun/Oracle forbids us from providing direct downloads of the IBM JDK on any platforms that Oracle/Sun also support (namely Windows and Linux). If you look at the Java downloads section of the developerWorks website, you'll only find SDKs for AIX, z/OS and Linux on System p/z, since those are IBM owned platforms that Oracle doesn't support.

    Since the JDK is shipped along with Websphere/Rational/Tivoli products, you can use it if you already have one of them deployed(though even then you may have SR8 FP1, unless you also install the very latest fix packs for those products).