I had posted this in the IBM Runtimes forum, but later realize this might be the right forum so posting it here:
I have the IBM JDK 1.6 as available from the IBM eclipse development package.
I am trying to make SSL connections in the FIPS mode by following the instructions at
to enable FIPS mode in IBMJSSE2.
The SSL connection fails with the following exception:
javax.net.ssl.SSLKeyException: RSA premaster secret error
Caused by: java.security.NoSuchAlgorithmException: no such algorithm: IbmTlsRsaPremasterSecret for provider IBMJCEFIPS
at javax.crypto.b.a(Unknown Source)
at javax.crypto.KeyGenerator.getInstance(Unknown Source)
... 15 more
The "IbmTlsRsaPremasterSecret" KeyGenerator is actually a part of the IBMJCE provider, and not IBMJCEFIPS provider.
Is this a bug in the IBMJSSE2? The same thing worked with the 1.4.2 runtime.
This topic has been locked.
8 replies Latest Post - 2010-08-24T14:30:51Z by SystemAdmin
Pinned topic problem with FIPS mode in IBM JDK 1.6
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2010-08-24T14:30:51Z at 2010-08-24T14:30:51Z by SystemAdmin
Re: problem with FIPS mode in IBM JDK 1.62010-08-23T12:45:00Z in response to shyamalpPlease use the security guide corresponding to the JDK version you're using, i.e. http://www.ibm.com/developerworks/java/jdk/security/60/secguides/jsse2Docs/JSSE2RefGuide.html#enablefips
Although instructions for enabling FIPS are the same, there are changes to the algorithms supported between JDK versions, as well as some provider names.
Also ensure that you haven't removed the IBMJCE provider from the list, since it is required.
Re: problem with FIPS mode in IBM JDK 1.62010-08-23T14:25:20Z in response to SystemAdminYes as you said, the instructions to enable the FIPS mode haven't changed, and I have followed the same instructions, including keeping the IBMJCE provider. I still get the same exception though.
Attached is the code snippet that is used to setup SSL. We use javax.net.ssl.HttpsURLConnection for https.
Thanks for your help,
Re: problem with FIPS mode in IBM JDK 1.62010-08-24T13:18:01Z in response to shyamalpFinally I figured out what the problem was.
The windows IBM SDK shipped with the eclipse development package has an older IBMJCEFIPS provider which does not contain the IbmTlsRsaPremasterSecret and other such algorithms.
When I replaced this provider with the jar from a Linux IBM SDK, things worked. The IBMJCEFIPS provider with this version is 1.31, whereas for the windows sdk it was 1.2.
Is this problem fixed in the windows IBM SDK in some later version, and is that available?
Re: problem with FIPS mode in IBM JDK 1.62010-08-24T13:26:30Z in response to shyamalpThe latest release of IBM JDK 6 is SR8. The developer package for Eclipse appears to ship with Java 5.0 - hence the difference. Please check the full java -version of both SDKs - the Linux SDK you used may be a newer service refresh that has updated providers.
Re: problem with FIPS mode in IBM JDK 1.62010-08-24T14:09:18Z in response to SystemAdminActually the one shipped with 3.0 is 1.6:
java version "1.6.0"
Java(TM) SE Runtime Environment (build pwi3260sr1-20080416_01(SR1))
IBM J9 VM (build 2.4, J2RE 1.6.0 IBM J9 2.4 Windows XP x86-32 jvmwi3260-20080415
_18762 (JIT enabled, AOT enabled)
J9VM - 20080415_018762_lHdSMr
JIT - r9_20080415_1520
GC - 20080415_AA)
JCL - 20080412_01
Re: problem with FIPS mode in IBM JDK 1.62010-08-24T14:17:09Z in response to shyamalpThe current latest available release of IBM JDK 6 is SR8 FP1-
Java(TM) SE Runtime Environment (build pwi3260sr8fp1-20100624_01(SR8 FP1))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Windows XP x86-32 jvmwi3260sr8ifx-201
00609_59383 (JIT enabled, AOT enabled)
J9VM - 20100609_059383
JIT - r9_20100401_15339ifx2
GC - 20100308_AA)
JCL - 20100624_01
We have updated the security codebase in the 2 years since SR1 was released, hence the mismatch in providers.
Re: problem with FIPS mode in IBM JDK 1.62010-08-24T14:30:51Z in response to shyamalpUnfortunately you can get hold of the JDK only as part of another IBM product (say, Websphere or any Rational product) that you purchased. Our licensing agreement with Sun/Oracle forbids us from providing direct downloads of the IBM JDK on any platforms that Oracle/Sun also support (namely Windows and Linux). If you look at the Java downloads section of the developerWorks website, you'll only find SDKs for AIX, z/OS and Linux on System p/z, since those are IBM owned platforms that Oracle doesn't support.
Since the JDK is shipped along with Websphere/Rational/Tivoli products, you can use it if you already have one of them deployed(though even then you may have SR8 FP1, unless you also install the very latest fix packs for those products).