Question & Answer
Question
Why are Secure Socket Layer (SSL) web services failing with 'invalid key exception-illegal key size' after upgrading CICS Transaction Server for z/OS (CICS TS) from V4.2 to V5.2? Our SSL certificates were created many years ago and have not been changed since. I'm wondering if this problem is caused by our recent CICS TS V5.2 upgrade.
This is the error I receive:
java.security.InvalidKeyException: Illegal key size
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at com.certicom.tls.provider.Cipher.init(Unknown Source)
at com.certicom.tls.ciphersuite.SecurityParameters.
createWriteCipher(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.
changeCipherSpec(Unknown Source)
at com.certicom.tls.record.handshake.
ClientStateReceivedCertificate.handle(Unknown Source)
Answer
If the level of Java in use under CICS TS 5.2 is still using the default policy files, the first step would be to upgrade to the unrestricted policy files. The default policy files are limited to 128 bit keys, any larger keys require the unrestricted policy files. The files needed reside within the demo directory of the JVM. Follow thiese steps to copy the unrestricted policy files from the ${java-home}/demo/jce/policy-files/unrestricted directory into ${java-home}/lib/security:
Delete the 2 files US_export_policy.jar and local_policy.jar from the security directory
Replace these 2 files by the files of the same name from within the /unrestricted directory
Be sure to set the permissions and attributes of the new copies to match what the original files were set to
Product Synonym
CICS/TS CICSTS CICS TS CICS Transaction Server
Was this topic helpful?
Document Information
Modified date:
27 August 2015
UID
dwa1209608