java.security.InvalidKeyException: Illegal key size error in PIM
Article ID: 182880
Updated On:
Products
CA Privileged Identity Management Endpoint (PIM)
Issue/Introduction
After an OS upgrade from W2K8R2 to W2K12R2 and Privileged Identity Management reinstallation (using previous "FIPSkey.dat" and data), Session Recording and other components have stopped working. For those components not working properly the corresponding log (e.g. ProxyManager.log) contains many errors with the java.security.InvalidKeyException: Illegal key size string.
For instance, in ProxyManager.log of a CA PIM 12.9.X installation where the problem is occurring, one can see
com.ca.ppm.proxymanager.jdbc.RecordingCommands :153 | java.security.InvalidKeyException: Illegal key size
Cause
When installing ENTM it is necessary to have Strong Encryption for Java enabled. See
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-identity-manager/12-9-01/implementing/install-the-enterprise-management-server/prepare-the-server.html
This is done by replacing or updating the Java Cryptography Extension (JCE) Unlimited Jurisdiction Policy files to support high-strength cipher suites. If the OS or Java were replaced, chances are the changes made earlier have been lost and remediation is necessary
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-identity-manager/12-9-01/implementing/install-the-enterprise-management-server/prepare-the-server.html
This is done by replacing or updating the Java Cryptography Extension (JCE) Unlimited Jurisdiction Policy files to support high-strength cipher suites. If the OS or Java were replaced, chances are the changes made earlier have been lost and remediation is necessary
Environment
CA PIM 12.8.X, 12.9.X and 1.X and CA PAM SC 14.X on Linux or Windows
Resolution
To correct this situation, please reapply the JCE-updating script mentioned in the documentation (see link above) or follow this manual procedure:
- For JDK 1.8_151 and later:
-
- Navigate to the jdk_home/jre/lib/security directory and open the java.security file.
- Uncomment the following line: crypto.policy=unlimited
- Save the file.
- For the other previous versions of JDK, proceed as follows:
-
- Locate the JCE package for your operating system from the Oracle website and download it
- Navigate to the jdk_home\jre\lib\security directory on your system and apply the patch to the following files: local_policy.jar and US_export_policy.jar
Feedback
Yes
No
Powered by
