We encountered SSL( cipher not initialized ) error when the app tries to contact a third party vendor. Below is the error we see.
java.security.InvalidKeyException: Illegal key size
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at com.certicom.tls.provider.Cipher.init(Unknown Source)
at com.certicom.tls.ciphersuite.SecurityParameters.createWriteCipher(Unknown Source)
Also saw
java.lang.IllegalStateException: Cipher not initialized
Solutin:
Looks like the vendor has updated the certificate
Please add -Dweblogic.security.SSL.nojce=true to your JVM arguments and restart the instances.By enabling this argument it will use FIPS PUB 140-2 crypto module in implementing SSL.
http://en.wikipedia.org/wiki/FIPS_140-2
Will I be safe if i use above JVM argument. What exactly does the property -Dweblogic.security.SSL.nojce=true
do? ( from Oracle Doc ID 1299207.1)
The WLS built-in SSL implementation uses JCE providers to support its functionality. For example, it uses Signatures. It also has built-in implementations of some JCE functionality, so it can continue to work in the absence of a JCE provider (for example, if the JDK configuration doesn’t supply one). This flag also provides a hook to output some informational messages to the log file about what provider is being used.
When this SSL implementation was integrated into WLS, we wanted SSL to use the JCE providers configured on the system, rather than the built-in ones. So, without the weblogic.security.SSL.nojce
flag (or with a value of false), the providers are loaded according to the JDK JCE configuration: this is the default.
But a flag value of true means to use the built-in provider functionality rather than going to the configured JCE providers. We have added functionality to the built-in SSL implementation to load jsafe functionality first; if it can’t load that (because jsafeFIPS.jar is not in the classpath), it will fall back to using the built-in functionality. For example, when the flag is true and jsafeFIPS.jar is present, it will load the RSA Signature from jsafe.
The weblogic.security.SSL.nojce
flag only applies to the built-in SSL; it does not apply to JSSE. If an application or some other part of WLS wanted to use a JCE provider, it would be loaded as specified by the JDK JCE configuration, no matter what theweblogic.security.SSL.nojce
value is.
Does the property -Dweblogic.security.ssl.nojce=true , make my weblogic server instance less secure ?
No, not really. The SSL client sends its preference of cipher suites, and the SSL server (WLS) picks the strongest cipher suite it can support from that list. If you have placed jsafeFIPS.jar in the front of the classpath, that will be the provider used.