Federation transaction error InvalidKeyException: Illegal key size

Document ID : KB000029417
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Custom is in a process of upgrade policy server which had been used for federation transaction.

After upgrade, during testing federation login, user gets error 500, and observed below error in policy server trace log.

[][][][][][][][][Failed to convert password value for Password :
com.ca.siteminder.sdk.agentapi.crypto.SmCryptoProviderException:
java.security.InvalidKeyException: Illegal key size
        at
com.ca.siteminder.sdk.agentapi.crypto.SmCryptoProvider.decrypt(SmCryptoProvider.java:731)
        at
com.ca.siteminder.sdk.agentapi.crypto.SmCryptoProvider.decrypt(SmCryptoProvider.java:628)
        at
com.ca.siteminder.sdk.agentapi.crypto.SmServerCrypto.decryptInternal(SmServerCrypto.java:137)
        at
com.ca.siteminder.sdk.agentapi.crypto.SmServerCrypto.decrypt(SmServerCrypto.java:123)
        at
com.netegrity.federationps.tunnel.TunnelUtils.addPasswordsToMap(TunnelUtils.java:223)
        at
com.netegrity.federationps.tunnel.TunnelUtils.addProviderPasswords(TunnelUtils.java:150)
        at
com.netegrity.saml2ps.tunnel.SAMLSPbyIDTunnelService.tunnel(SAMLSPbyIDTunnelService.java:135)
        at
com.netegrity.policyserver.smapi.TunnelServiceContext.tunnel(TunnelServiceContext.java:275)
Caused by: java.security.InvalidKeyException: Illegal key size
        at javax.crypto.Cipher.a(DashoA13*..)
        at javax.crypto.Cipher.init(DashoA13*..)
        at
com.ca.siteminder.sdk.agentapi.crypto.SmRC2CryptoProvider.getDecrypter(SmRC2CryptoProvider.java:139)
        at
com.ca.siteminder.sdk.agentapi.crypto.SmCryptoProvider.decrypt(SmCryptoProvider.java:666)
        ... 7 more
]
 

Solution:

The InvalidKeyException was known to be JCE related. 

Policy Server Installation Guide and  Installation Requirements states:

“The current Java Cryptography Extension (JCE) Unlimited Strength
Jurisdiction patches are required to use the Java cryptographic algorithms.
To locate the JCE package for your operating platform, go to the Oracle website.
Apply the patches to the following files on your system:

local_policy.jar
US_export_policy.jar
These files are in the directory jre_home\lib\security.

jre_home

This variable specifies the location of the Java Runtime Environment
installation. ”

When this error is encountered, the unlimited strength jars need to be installed on the JVM. So this means that you will need to deploy these on Policy servers. 

You can obtain the jars here 

http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html

And to deploy them, all you need to do is replace the existing "limited" local_policy.jar and US_export_policy.jar files with the "unlimited" files contained in the link above. 

Note: please back up existing setup before any changes are done.