You are using GSKit to generate a certificate signing request or a self-signed certificate to be used with WebSphere MQ, and when running the java version of the command "gsk7cmd" to generate a 4096 bit key, you receive an invalidkeyexception showing the error "illegal key size".
How do you fix it?
First, confirm that you are launching the java executable in /opt/mqm/ssl/bin/. This is done by setting the JAVA_HOME environment variable to point to /opt/mqm/ssl (check documentation for the correct setting for your operating system)
If the policy files associated with this jre are not allowing you to create a 2048 bit certificate, you will need to replace the policy files. Older jdk's disable larger key sizes by default.
The correct way to resolve this problem is to download and replace 2 policy jar files.
They are found in /opt/mqm/ssl/lib/security and are called:
You can download the policy jar files from here:
Your policy files "local policy file" may contain restrictions that can be replaced manually but it is not the recommended approach because incorrect changes to the file can cause ssl to stop working.
As an example of how to enable other cryptos, the local_policy.jar file contains a file called default_local.policy. In that text file, specific crypto permissions are granted:
see example of the restrictions found in the file below:
// Some countries have import limits on crypto strength. This policy file is worldwide importable.
permission javax.crypto.CryptoPermission "DES", 64;
permission javax.crypto.CryptoPermission "DESede", *;
permission javax.crypto.CryptoPermission "RC2", 128,
permission javax.crypto.CryptoPermission "RC4", 128;
permission javax.crypto.CryptoPermission "RC5", 128,
"javax.crypto.spec.RC5ParameterSpec", *, 12, *;
permission javax.crypto.CryptoPermission "RSA", 2048;
permission javax.crypto.CryptoPermission *, 128;
You can replace the contents of this file with the contents shown below:
// Country-specific policy file for countries with no limits on crypto strength.
// There is no restriction to any algorithms.