java.security.InvalidKeyException: Illegal key size error in PIM

book

Article ID: 182880

calendar_today

Updated On:

Products

CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

After an OS upgrade from W2K8R2 to W2K12R2 and Privileged Identity Management reinstallation (using previous "FIPSkey.dat" and data), Session Recording and other components have stopped working. For those components not working properly the corresponding log (e.g. ProxyManager.log) contains many errors with the java.security.InvalidKeyException: Illegal key size string.

For instance, in ProxyManager.log of a CA PIM 12.9.X installation where the problem is occurring, one can see

com.ca.ppm.proxymanager.jdbc.RecordingCommands    :153   | java.security.InvalidKeyException: Illegal key size

Cause

When installing ENTM it is necessary to have Strong Encryption for Java enabled. See

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-identity-manager/12-9-01/implementing/install-the-enterprise-management-server/prepare-the-server.html

This is done by replacing or updating the Java Cryptography Extension (JCE) Unlimited Jurisdiction Policy files to support high-strength cipher suites. If the OS or Java were replaced, chances are the changes made earlier have been lost and remediation is necessary

Environment

CA PIM 12.8.X, 12.9.X and 1.X and CA PAM SC 14.X on Linux or Windows

Resolution

To correct this situation, please reapply the JCE-updating script mentioned in the documentation (see link above) or follow this manual procedure:

  • For JDK 1.8_151 and later:
    • Navigate to the jdk_home/jre/lib/security directory and open the java.security file.
    • Uncomment the following line: crypto.policy=unlimited
    • Save the file.
  • For the other previous versions of JDK, proceed as follows: 
    • Locate the JCE package for your operating system from the Oracle website and download it 
    • Navigate to the jdk_home\jre\lib\security directory on your system and apply the patch to the following files: local_policy.jar and US_export_policy.jar