Users Guide

ManualsBrandsDell ManualsBSAFEBSAFE Crypto-J

Table Of Contents

Troubleshooting Guide

18.07.19

RSA BSAFE

Crypto-J 6.2.5

Troubleshooting Guide

This document provides information and instructions for troubleshooting common

issues for RSA BSAFE Crypto-J 6.2.5 (Crypto-J) on all released platforms.

Contents:

Enforce Strict DER Encoding of X.509 Certificates .....................................2

Statically Register JsafeJCE Provider as the Default JCE Provider .........3

Dynamically Register the JsafeJCE Provider ..............................................4

Use Crypto-J in FIPS-140 Mode in Compliance with FIPS 140-2

Requirements ...................................................................................................5

Slow FIPS-140 Start-up on Android ..............................................................5

Install JCE Unlimited Strength Jurisdiction Policy Files ..............................6

Error when Re-Signing the Jar Files .............................................................7

Errors when Running a Java Web Start Application ...................................7

Decrease the Time Taken for Cryptographic Operations ............................8

Entropy Generation ..................................................................................8

Decrease the Time Taken for Cryptographic Operations that use

Blinding .......................................................................................................8

Convert Oracle JKS Keystore to PKCS #12 format ....................................9

Error ‘Algorithm not allowable in FIPS140 Mode’ ........................................9

Use Crypto-J with J2EE Applications and Application Servers ................ 10

Static Registration ...................................................................................10

Dynamic Registration .............................................................................10

Explicit use of Provider Instances ......................................................... 11

Intermittent Test Failures with some EC Algorithms ..................................11

Signature Verification Fails for some RSA PSS Signatures .....................12

Use Crypto-J in FIPS 140-2 Mode on Oracle WebLogic 11g and 12c ...12

Use Crypto-J Jars in an EAR Application on Red Hat JBoss ..................13

Use Crypto-J jars in an EAR Application on JBoss 5 and 6 ..............13

Use Crypto-J jars in non-FIPS 140-2 mode, in an EAR Application on

JBoss 7 .....................................................................................................13

Use Crypto-J jars in FIPS 140-2 mode, in an EAR Application on

JBoss 7 .....................................................................................................14

Use Crypto-J Jars in an EAR Application on Oracle WebLogic ...............14

Gradle Incompatibility with Android Studio .................................................15

Reuse of IV is Not Allowed in GCM Mode .................................................. 15

Customization Using the System and Security Properties .......................15

Summary of content (15 pages)

PAGE 1
Troubleshooting Guide 18.07.19 RSA BSAFE® Crypto-J 6.2.5 Troubleshooting Guide This document provides information and instructions for troubleshooting common issues for RSA BSAFE Crypto-J 6.2.5 (Crypto-J) on all released platforms. Contents: Enforce Strict DER Encoding of X.509 Certificates .....................................2 Statically Register JsafeJCE Provider as the Default JCE Provider .........3 Dynamically Register the JsafeJCE Provider ..............................................
PAGE 2
RSA BSAFE Crypto-J 6.2.5 Troubleshooting Guide Enforce Strict DER Encoding of X.509 Certificates When DER encoding of X.509 certificates is not strictly enforced, the unsigned portion of the certificate (including the signature or signature algorithm) can be modified without breaking the validity of the certificate. Such modifications could allow a remote attacker to defeat fingerprint-based certificate-blacklist protection mechanisms. The security property, com.rsa.cryptoj.cert.
PAGE 3
RSA BSAFE Crypto-J 6.2.5 Troubleshooting Guide Statically Register JsafeJCE Provider as the Default JCE Provider A statically registered Crypto-J JsafeJCE provider can be used without having to instantiate it, and without having to programmatically add it to the provider list. Statically registering the JsafeJCE provider as the default, that is, in first position, allows it to be the default provider of algorithms.
PAGE 4
RSA BSAFE Crypto-J 6.2.5 Troubleshooting Guide Dynamically Register the JsafeJCE Provider To dynamically register the Crypto-J JCE provider, JsafeJCE: 1. Add the relevant Crypto-J jar file(s) to the class path. 2. Load the provider using the following Java code: // Create a Provider object Provider jceProvider = new com.rsa.jsafe.provider.JsafeJCE(); // Add the JCE Provider class to the current list of providers //available on the system. Security.
PAGE 5
RSA BSAFE Crypto-J 6.2.5 Troubleshooting Guide Use Crypto-J in FIPS-140 Mode in Compliance with FIPS 140-2 Requirements To ensure that Crypto-J is used in the FIPS-140 mode in compliance with FIPS 140-2 requirements, complete the following: • • • Use the correct jar file: – For non-Android environments, use the jcmFIPS-6.2.5.jar file – For Android environments, use the jcmandroidfips-6.2.5.jar file. Set the initial FIPS-140 mode of operation security property, com.rsa.cryptoj.
PAGE 6
RSA BSAFE Crypto-J 6.2.5 Troubleshooting Guide Install JCE Unlimited Strength Jurisdiction Policy Files The JCE requires the presence of Unlimited Strength Jurisdiction Policy Files in order to use some algorithms and key strengths. The following algorithms require these policy files: • AES with key sizes greater than 128 bits • RC2 with key sizes greater than 128 bits • RC4 with key sizes greater than 128 bits • RC5 with key sizes greater than 128 bits • RSA Encryption.
PAGE 7
RSA BSAFE Crypto-J 6.2.5 Troubleshooting Guide Error when Re-Signing the Jar Files The following error can occur when re-signing cryptoj-6.2.5.jar or cryptojce-6.2.5.jar: Invalid SHA-1(or other SHA digest) signature file digest for . This occurs because cryptoj-6.2.5.jar and cryptojce-6.2.5.jar are signed by a SHA-256 digest algorithm. The Oracle JDK 6 jarsigner digest algorithm defaults to SHA-1, while the Oracle JDK 7 jarsigner digest algorithm defaults to SHA-256.
PAGE 8
RSA BSAFE Crypto-J 6.2.5 Troubleshooting Guide Decrease the Time Taken for Cryptographic Operations Entropy Generation Crypto-J relies on the operating system to provide the entropy needed to seed the SecureRandom object used for cryptographic operations. These operations can take an unusually long time if the operating system is unable to provide sufficient entropy. RSA recommends using a Hardware Security Module (HSM) with Crypto-J to generate entropy.
PAGE 9
RSA BSAFE Crypto-J 6.2.5 Troubleshooting Guide Convert Oracle JKS Keystore to PKCS #12 format The keytool utility has an importkeystore option, for JDK1.6.x onwards, which can be used to convert a JKS keystore to PKCS #12 format.
PAGE 10
RSA BSAFE Crypto-J 6.2.5 Troubleshooting Guide Use Crypto-J with J2EE Applications and Application Servers Java Application Servers use a hierarchy of class loaders to isolate the applications in the Web and Enterprise JavaBeans containers. The use of class loaders affects how Crypto-J can be used in this environment. Static Registration Crypto-J can be statically registered and successfully used in most Application Server environments.
PAGE 11
RSA BSAFE Crypto-J 6.2.5 Troubleshooting Guide Where applications have their own copies of Crypto-J, it is possible for one application to use a combination of classes from its own Crypto-J jars along with those from a JsafeJCE instance registered by a different application. Problems such as unexpected ClassCastExceptions and unrecognized AlgorithmParameters can result. This can even occur with a single application as it is being upgraded as there may briefly be two instances of the same application.
PAGE 12
RSA BSAFE Crypto-J 6.2.5 Troubleshooting Guide Signature Verification Fails for some RSA PSS Signatures When using RSA PSS Signature objects the JsafeJCE provider does not support using a digest algorithm for the Mask Generation Function (MGF) that is different to the digest algorithm used for the signature.
PAGE 13
RSA BSAFE Crypto-J 6.2.5 Troubleshooting Guide Use Crypto-J Jars in an EAR Application on Red Hat JBoss Use the following steps and recommendations to enable the use of Crypto-J jar files in an EAR application for Red Hat® JBoss® (JBoss) application servers: • Use Crypto-J jars in an EAR Application on JBoss 5 and 6 • Use Crypto-J jars in non-FIPS 140-2 mode, in an EAR Application on JBoss 7 • Use Crypto-J jars in FIPS 140-2 mode, in an EAR Application on JBoss 7.
PAGE 14
RSA BSAFE Crypto-J 6.2.5 Troubleshooting Guide Use Crypto-J jars in FIPS 140-2 mode, in an EAR Application on JBoss 7 To use Crypto-J jars in FIPS 140-2 mode, in an EAR Application on JBoss 7: 1. To allow the code source to be changed for Crypto-J jars to be used in FIPS 140-2 mode, edit the jboss:deployment-structure.xml file to add the following resources configuration: ... PAGE 15
RSA BSAFE Crypto-J 6.2.5 Troubleshooting Guide Gradle Incompatibility with Android Studio Due to the deprecation of one of the Gradle 4.0+ APIs, the following compilation error occurs when using Gradle 4.0+ with Android Studio 3.0: com.android.build.gradle.tasks.factory.AndroidJavaCompile.set DependencyCacheDir(Ljava/io/File;)V If this error occurs during the compilation process: 1. Check the version of Gradle: gradle -version 2. Check the version of Android Studio.