We are running an application on IBM VM in an IBM AIX server and getting the following error only while using HTTPS. It works fine when used HTTP though. Again it works fine when using Sun VM on an alternate Windows server. The error with IBM VM is as follows:
JsseJCE: Using KeyGenerator IbmTlsRsaPremasterSecret from provider TBD via init
JsseJCE: Using cipher RSA/SSL/PKCS1Padding from provider TBD via init
main, handling exception: javax.net.ssl.SSLKeyException: RSA premaster secret error
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
15:36:14,559 ERROR CrtQuoteLetterMain:248 -
java.lang.NullPointerException15:36:14,560 DEBUG InsIntoTablesDAO:66 - 2 | RunDate:2011-03-10 | ProcessName:Create Quote & Letter |
Opportunity:006Q0000006IfggIAC | Seq#:1 | StepName:BMI Security Login to create Session Id | Severity:Fatal | Status:Failure | LastV
ersion: Y | Message:Opportunity 006Q0000006IfggIAC: Error encountered when returning values of Exception Code and Message
15:36:14,561 INFO CrtQuoteLetterMain:75 - Processing Opportunity: 3 - 006Q0000006IfZkIAK
15:36:14,561 ERROR CrtQuoteLetterMain:248 - Customer Id and/or Vision Id is null/empty
java.lang.Exception: Customer Id and/or Vision Id is null/empty15:36:14,562 DEBUG InsIntoTablesDAO:66 - 3 | RunDate:2011-03-10 | Pro
cessName:Create Quote & Letter | Opportunity:006Q0000006IfZkIAK | Seq#:1 | StepName:Validate Customer Id and Vision Id | Severity:Fa
tal | Status:Failure | LastVersion: Y | Message:Customer Id and/or Vision Id is null/empty
15:36:14,563 INFO CrtQuoteLetterMain:75 - Processing Opportunity: 4 - 006Q0000006IfZmIAK
just created: com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl@52025202
calling security logi
ending security logi
This is solved today.
We have an issue of IBM JDK with SHA512 cert. Sun JDK might not have this issue.
The cause of this problem were that the key size on the server size for the SHA512 certificate 4096 bits. This was too large for the IBM JDK unless using the unrestricted policy file.
When the MD5 cert is used it appears to be of 1024 bits, however when using the SHA512 the cert is of 4096 bits.
In accordance with the United States of America export restrictions, Java that is bundled with the server has limited encryption key sizes that can be used in the server operation. In order to successfully convert signed client certificates for use in the server, you have to replace the bundled encryption policy files with the unrestricted files published by IBM. This is called "Unrestricted JCE Policy files for SDK"
Procedure to get this file:
1.Go to the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.
2.Click J2SE 6.0.
3.Click IBM SDK Policy files. The Unrestricted JCE Policy files for the SDK website is displayed.
4.Click Sign in and provide your IBM ID and password or register with IBM to download the files.
5.Select Unrestricted JCE Policy files for SDK for all newer versions (version 1.4.2 and higher) and click Continue.
6.View the license agreement and then click I Agree.
7.Click Download Now.
8.Install the files:
a.Extract the file: unrestricted.zip into a directory of your choice in Windows.
b.Copy/FTP the two .jar files from the extraction directory to following directories:
--> If you are using a specific JDK version,then copy in $JAVA_HOME/jre/lib/security
--> If you are using Weblogic AS, then WAS_HOME/java/jre/lib/security
9. For the case of weblogic AS, restart the Weblogic server for this change to take effect.