Solved: ID21108:java.lang.security EXception, Unsupported ...

Former Member · ‎02-03-2007

Hi,

We have ABAP instace and java instance on the same server. Installed SSL certificate in ABAP instance and we would like use the same key pair for JAVA instance. done the same thing in development without any problem. In QA environment we have stuck up with below error

<b>ID 21108:java.lang.securityException, Unsupported key size or Algorithm parameters.</b>

followed below procedure for exporting from ABAP stack

sapgenpse export_p12 -p SAPSSL.PSE f:\mynewpse.p12, it prompted for the passord two times and successfully exported.

while importing in j2EE engine by Keystore service, ssl_service--> clicked on load and selected the exported certifcate which is in p12 format, prompting the above stated error.

I have tried to read the exported certficate by using the below command

:\usr\sap\CPQ\SYS\exe\run>sapgenpse get_my_name -p f:\mynewpse.p12

its prompting below error

get_my_name: Couldn't open PSE "f:\mynewpse.p12"

ERROR in af_open: (4356/0x1104) PSEFile

ERROR in secsw_open: (4356/0x1104) PSEFile

ERROR in sec_parse_PSEInfo_cont: (4356/0x1104) PSEFile

ERROR in d_PSEFile: (18/0x0012) decoding error for : "PSEFile"

Please help me to solve this problem

Thanks and regards

Seshu

Former Member · ‎02-03-2007

Hi Seshu,

which is the key size u are using?

Normally with java the keysize limit depends on the settings defined in the archive local_policy.jar.

You can get more detailed information on this at java.sun.com

Hope this hint helps you!

Kind Regards,

Sergio

Former Member · ‎02-03-2007

Hi Seshu,

which is the key size u are using?

Normally with java the keysize limit depends on the settings defined in the archive local_policy.jar.

You can get more detailed information on this at java.sun.com

Hope this hint helps you!

Kind Regards,

Sergio

Former Member · ‎02-04-2007

Hi

It would be great if you can explain me that how to see the settings which are defined for the local_policy.jar.

I successfully exported the PSE, but i am facing the problem while importing into J2EE engine, below the are the details of exported PSE from ABAP stack.

K:\usr\sap\CPQ\SYS\exe\run>sapgenpse get_my_name -p K:\usr\sap\CPQ\DVEBMGS00\sec

\SAPSSLS.pse

No SSO for USER "Infosys"

with PSE file "K:\usr\sap\CPQ\DVEBMGS00\sec\SAPSSLS.pse"

Subject : CN=esp22.corp.clp.com.hk, OU="Member, VeriSign Trust Network", OU=Auth

enticated by HiTRUST HK, OU=Terms of use at www.hitrust.com.hk/rpa (c) 04, OU=IT

Group, O=CLP Power Hong Kong Limited, L=Hong Kong, SP=Hong Kong, C=HK

Issuer : OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, O

U=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Tr

ust Network

Serialno: 56:7B:85:E4:5E:9A:C9:76:D7:8F:33:E6:81:10:14:F7

KeyInfo : RSA, 1024-bit

Validity - NotBefore: Mon Jan 22 08:00:00 2007 (070122000000Z)

NotAfter: Wed Jan 23 07:59:59 2008 (080122235959Z)

Key Lenth is 1024-bit

Please help me to solve this problem

Thanks and regards

Seshu

Former Member · ‎02-16-2007

Hi Sergio,

Thank you!

Your Hint helped to some extent to solve this problem. This issue has been resolved by applying the note 739043. We have limited/strong crypto policy files in

local_policy.jar. So we down loaded unlimited/strong crypto policy files from java.sun.com and replaced the existing policy files. Exported SSL certificate from ABAP satck and imported to java stack with out any problem.

To know the present policy files in your present server (i.e to read the content in the META-INF/MAINFEST.MF file ) <b>zip</b> the local_policy.jar.

We understand that limited crypto policy files can't support all RSA keysize. In development we used DSA so we did't face this problem in DEV.

Thanks and regards

Seshu

WolfgangJanzen · ‎02-05-2007

Hi Seshu,

when trying to import the certificate (plus corresponding private key) into the keystore on the NWAS Java did you choose the proper import method (for PKCS#12 format)?

I'm asking because at least for the NWAS ABAP (when using sapgenpse) you seem not to be aware that the (proprietary) PSE file format is entirely different from the (standardized) PKCS#12 format.

Regards, Wolfgang

PS: RSA certificates with key size 1024 should not be a problem for both stacks

Former Member · ‎02-05-2007

Hi Wolfgang,

How are you?.

Thank you!. I am waiting for your response only.

In Development we have followed the same procedure only, we havent face this error.

I have folowed the below command for export from ABAP stack

sapgenpse export_p12 -p SAPSSLS.pse mynewpse.p12

please suggest me some thing to solve this problem.

Thanks and regards

Seshu

WolfgangJanzen · ‎02-05-2007

That looks o.k. (PSE -> PKCS#12).

You can actually analyse the result (PKCS#12 file) using your Microsoft Operating System: simply open that file -> "Certificate Import Wizard" will be launched. That allows you to import that certificate to the (local) Microsoft keystore of your PC (where you can display and delete it afterwards using the IE -> Tools -> Internet Options -> Content -> Certificates).

Is it possible that you are using the "export version" of the IAIK toolkit on the NWAS Java? (similiar to SAPSECULIB on the NWAS ABAP: that's the "export version" of the SAPCRYPTOLIB - due to export control regulations).

Regards, Wolfgang

Former Member · ‎02-05-2007

Hi,

I have checked the certificate, it looks okey.

What could be the other reason?. In development we havent get this error.

We have applied strong encryption to J2EE engine (IAIK_jce.jar)

Please help me to solve this problem.

Thanks and regards

Seshu

ID21108:java.lang.security EXception, Unsupported Key Size