We installed the 10.1 Gateway using the steps in the installation guide to configure the Luna provider.
After doing so we connected with a client using a variety of TLS cipher suites, both RSA and DSA that use Elliptic Curve Diffie Hellman key exchanges, both ECDSA and RSA,
for example TLS_ECDHE_RSA_WITH_AES_128_
When we enable verbose debug using javax.net.debug=all
we see an exception that indicates the DH master secret derivation fails with an error indicating the JCE provider.
- maybe was SunEC that requires a "RAW Key Format" when accessing the key to perform the key derivation function. Probably this is because the Sun Provider cannot correctly handle the Luna secret key.
This worked in 8.4 with Java 7 or 8 but not with Java 11, I believe because one of the providers in the earlier version of Java was able to extract the Luna key to perform the function.
Release : 10.1
If you are planning to use the default Luna partition policy settings, ensure the following two lines are included in the ssg.security file
Resolved by correctly setting the following two parameters which are documented in the L7 Luna installation guide.
When using automated installation they did not set them correctly in the deployment scripts.