"java.security.InvalidKeyException: Illegal key size at javax.crypto.Cipher" Call to Extenal Webservice Through HTTPS Fails
Applies to:
Oracle Service Bus - Version: 11.1.1.3.0 and later [Release: 11g and later ]
Information in this document applies to any platform.
Symptoms
When an Oracle Service Bus business service makes calls to an external webservice using basic HTTPS authentication, the call fails. Server log shows the following exception.
Exception:
java.security.InvalidKeyException: Illegal key size
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at com.certicom.tls.provider.Cipher.init(Unknown Source)
at com.certicom.tls.ciphersuite.SecurityParameters.createWriteCipher(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.changeCipherSpec(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedCertificate.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:158)
at weblogic.net.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:254)
at com.bea.wli.sb.transports.http.HttpOutboundMessageContext.setRequestPayload(HttpOutboundMessageContext.java:258)
at com.bea.wli.sb.transports.http.HttpOutboundMessageContext.send(HttpOutboundMessageContext.java:294)
at com.bea.wli.sb.transports.http.wls.HttpTransportProvider.sendMessageAsync(HttpTransportProvider.java:211)
at sun.reflect.GeneratedMethodAccessor859.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.wli.sb.transports.Util$1.invoke(Util.java:83)
Cause
The standard policy in JAVA does not support AES with 256 bit keys. This was mentioned in unpublished Bug 8530913
Solution
Due to the import restrictions of some countries, the jurisdiction policy
files distributed with the JDK software have built-in restrictions on available cryptographic strength.
By default , the AES 256 cryptographic algorithm does not work with the Jre/jdk Oracle Service Bus use. Inorder to make it work JCE Extension jars ( Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files) should be used for the JDK Security.
Steps:
1. Download JCE Extension jars from
http://java.sun.com/javase/downloads/index.jsp
(Under 'Additional resources' there is an 'Other downloads' section which has a link to the 'Java Cryptography Extension (JCE)).
2. Replace the two jars(US_export_policy.jar & local_policy.jar) in the /jre/lib/security directory.
3. Restart the servers for the changes to take effect.
If the issue still exists, please contact Oracle Global Software Support for further assistance.
通过HTTPS调用外部的网络服务失败出现如下错误:java.security.InvalidKeyException: Illegal key size at javax.crypto.Cipher
应用于
Oracle Service Bus – 版本: 11.1.1.3.0 及以后版本[发行: 11g 及以后版本]
该文档中的信息适用于所有平台
现象
当一个Oracle Service Bus business service使用HTTPS调用外部的网络应用时,调用失败。服务器日志显示下面的内容:
Exception:
java.security.InvalidKeyException: Illegal key size
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at com.certicom.tls.provider.Cipher.init(Unknown Source)
at com.certicom.tls.ciphersuite.SecurityParameters.createWriteCipher(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.changeCipherSpec(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedCertificate.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:158)
at weblogic.net.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:254)
at com.bea.wli.sb.transports.http.HttpOutboundMessageContext.setRequestPayload(HttpOutboundMessageContext.java:258)
at com.bea.wli.sb.transports.http.HttpOutboundMessageContext.send(HttpOutboundMessageContext.java:294)
at com.bea.wli.sb.transports.http.wls.HttpTransportProvider.sendMessageAsync(HttpTransportProvider.java:211)
at sun.reflect.GeneratedMethodAccessor859.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.wli.sb.transports.Util$1.invoke(Util.java:83)
原因
在Java的标准政策中不支持256位密钥的AES。这在没有发布的漏洞8530913中有提到。
解决方法
由于一些国家进口的限制,在有些JDK软件中内置了限制密码强度的权限文件。
默认情况下,Oracle Service Bus的JRE/JDK 中不支持AES 256加密算法,要想使用这种算法必须加入JCE(Java Cryptography Extension)扩展jar文件来保证JDK安全。
步骤:
1. 下载JCE扩展jar包,下载地址
http://java.sun.com/javase/downloads/index.jsp
(在'Additional resources'中有'Other downloads'选项,也可以下载JCE)
2. 替换在/jre/lib/security目录下的US_export_policy.jar 和local_policy.jar文件
3. 重启服务器
如果这个问题还存在,请与Oracle原厂联系获得帮助。