IBM Support

SSL web services fails with 'invalid key exception-illegal key size' after upgrading to CICS 5.2

Question & Answer


Question

Why are Secure Socket Layer (SSL) web services failing with 'invalid key exception-illegal key size' after upgrading CICS Transaction Server for z/OS (CICS TS) from V4.2 to V5.2? Our SSL certificates were created many years ago and have not been changed since. I'm wondering if this problem is caused by our recent CICS TS V5.2 upgrade.

This is the error I receive:

 java.security.InvalidKeyException: Illegal key size
         at javax.crypto.Cipher.a(DashoA13*..)
         at javax.crypto.Cipher.init(DashoA13*..)
         at javax.crypto.Cipher.init(DashoA13*..)
         at com.certicom.tls.provider.Cipher.init(Unknown Source)
         at com.certicom.tls.ciphersuite.SecurityParameters.
 createWriteCipher(Unknown Source)
         at com.certicom.tls.record.handshake.HandshakeHandler.
 changeCipherSpec(Unknown Source)
         at com.certicom.tls.record.handshake.
 ClientStateReceivedCertificate.handle(Unknown Source)

Answer

If the level of Java in use under CICS TS 5.2 is still using the default policy files, the first step would be to upgrade to the unrestricted policy files. The default policy files are limited to 128 bit keys, any larger keys require the unrestricted policy files. The files needed reside within the demo directory of the JVM. Follow thiese steps to copy the unrestricted policy files from the ${java-home}/demo/jce/policy-files/unrestricted directory into ${java-home}/lib/security:

  1. Delete the 2 files US_export_policy.jar and local_policy.jar from the security directory

  2. Replace these 2 files by the files of the same name from within the /unrestricted directory

  3. Be sure to set the permissions and attributes of the new copies to match what the original files were set to

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"Java","Version":"5.2","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

CICS/TS CICSTS CICS TS CICS Transaction Server

Document Information

Modified date:
27 August 2015

UID

dwa1209608