IBM Support

50 DB2 Nuggets #15 : Tech Tip - Implementing encryption from DB2 JDBC program running with ORACLE Java

Technical Blog Post


Abstract

50 DB2 Nuggets #15 : Tech Tip - Implementing encryption from DB2 JDBC program running with ORACLE Java

Body

Hi All!

I had opportunity to implement AES encryption from a Java program using a DB2 JDBC driver with ORACLE Java. Here are all the steps I took:

1> On client machine, installed ORACLE Java 7:
http://www.oracle.com/technetwork/java/javase/archive-139210.html

C:\Program Files\Java\jdk1.7.0_45\jre\bin>java -version
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) Client VM (build 24.45-b08, mixed mode, sharing)


2> On server, I changed the configuration as below to support AES encryption:

[db2v97@ts-carose ~]$ db2 get dbm cfg | grep auth
 GSS Plugin for Local Authorization    (LOCAL_GSSPLUGIN) =
 Server Connection Authentication          (SRVCON_AUTH) = NOT_SPECIFIED
 Database manager authentication        (AUTHENTICATION) = SERVER_ENCRYPT
 Alternate authentication           (ALTERNATE_AUTH_ENC) = AES_ONLY
 Cataloging allowed without authority   (CATALOG_NOAUTH) = NO
 Trusted client authentication          (TRUST_CLNTAUTH) = CLIENT
 Bypass federated authentication            (FED_NOAUTH) = NO

More information about DB2 Server's authentication types can be found here

3>  On client I created a sample connection program ConnectSample.java with code as below:

        Class.forName("com.ibm.db2.jcc.DB2Driver").newInstance();
        String url =  "jdbc:db2:/hostName:portNumber/DBName:securityMechanism=9;encryptionAlgorithm=2;";
        Connection con = DriverManager.getConnection(url,"userName","password");
        System.out.println("Connected to Server") ;  
        con.close();

More information on securityMechanism and ecncryptionAlgortithm properties can be found here

4> I compiled and ran ConnectSample.java and got same error as yours i.e 4221 InvalidKeyException.

C:\Program Files\Java\jdk1.7.0_45\jre\bin>java ConnectSample
Exception: com.ibm.db2.jcc.am.SqlException: [jcc][1068][10625][4.15.82] Caught j
ava.security.InvalidKeyException while encrypting data.  See attached Throwable
for details. ERRORCODE=-4221, SQLSTATE=null
com.ibm.db2.jcc.am.SqlException: [jcc][1068][10625][4.15.82] Caught java.securit
y.InvalidKeyException while encrypting data.  See attached Throwable for details
. ERRORCODE=-4221
, SQLSTATE=null
        at com.ibm.db2.jcc.am.fd.a(fd.java:680)
        at com.ibm.db2.jcc.am.fd.a(fd.java:60)
        at com.ibm.db2.jcc.am.fd.a(fd.java:85)
        at com.ibm.db2.jcc.am.rc.a(rc.java:557)
        at com.ibm.db2.jcc.am.rc.a(rc.java:497)
        at com.ibm.db2.jcc.t4.b.h(b.java:2837)
        at com.ibm.db2.jcc.t4.b.a(b.java:6491)
        at com.ibm.db2.jcc.t4.b.b(b.java:844)
        at com.ibm.db2.jcc.t4.b.a(b.java:761)
        at com.ibm.db2.jcc.t4.b.a(b.java:424)
        at com.ibm.db2.jcc.t4.b.a(b.java:399)
        at com.ibm.db2.jcc.t4.b.<init>(b.java:337)
        at com.ibm.db2.jcc.DB2SimpleDataSource.getConnection(DB2SimpleDataSource
.java:232)
        at com.ibm.db2.jcc.DB2SimpleDataSource.getConnection(DB2SimpleDataSource
.java:198)
        at com.ibm.db2.jcc.DB2Driver.connect(DB2Driver.java:475)
        at com.ibm.db2.jcc.DB2Driver.connect(DB2Driver.java:116)
        at java.sql.DriverManager.getConnection(DriverManager.java:571)
        at java.sql.DriverManager.getConnection(DriverManager.java:215)
        at ConnectSample.main(ConnectSample.java:10)
Caused by: java.security.InvalidKeyException: Illegal key size
        at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1024)
        at javax.crypto.Cipher.implInit(Cipher.java:790)
        at javax.crypto.Cipher.chooseProvider(Cipher.java:849)
        at javax.crypto.Cipher.init(Cipher.java:1348)
        at javax.crypto.Cipher.init(Cipher.java:1282)
        at com.ibm.db2.jcc.am.rc.a(rc.java:552)
        ... 15 more

 

This is because, For AES encryption, you need an unrestricted policy file for JCE. For the IBM SDK for Java, the file is available at the following location:

https://www.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk


5>  I downloaded JCE Unlimited Strength Jurisdiction Policy File for ORACLE Java from Internet. This is the link for Java 6 JCE files:
http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html

Once Unlimited JCE files downloaded, unzip it, it will have 3 files:

       README.txt                   
        local_policy.jar             
        US_export_policy.jar         


6> I renamed existing local_policy.jar and US_export_policy.jar in jre\lib\security to something else, then copied new local_policy.jar and US_export_policy from Unlimited JCE files to jre\lib\security

And then ran my ConnectSample.java again:

C:\Program Files\Java\jdk1.7.0_45\jre\bin>java ConnectSample
Connected to Server

Yuppie! I am sending encrypted user id and password over the wire!

Thank you for reading!

 

[{"Business Unit":{"code":"BU029","label":"Data and AI"}, "Product":{"code":"SSEPGG","label":"DB2 for Linux- UNIX and Windows"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":""}]

UID

ibm11141558