CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 5th July 2015
CA Secure Proxy Server requires Java Runtime Environment used by agent to support unlimited key strength in the Java Cryptography Extension package.
Configure the JVM to Use the JSafeJCE Security Provider
To enable encryption, configure the JVM that is running the CA SiteMinder® SPS so it uses the JSafeJCE Security Provider.
Follow these steps:
- Download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files package for the Java version you are using from the Oracle website.
- Navigate to the <JDK>\jre\lib\security file directory
- Patch the following files with the files from the JCE Unlimited Strength Jurisdiction Policy Files package:
- local_policy.jar
- US_export_policy.jar
- Open the java.security file.
- Add the following line in the List of Providers section JSafeJCE is added as the second security provider:
security.provider.2=com.rsa.jsafe.provider.JsafeJCE
- Increment the order of preference of the other security providers by 1.
- Add the following line at the end of the existing security providers list. This line sets the initial FIPS mode of JSafeJCE:
com.rsa.cryptoj.fips140initialmode=NON_FIPS140_MODE
8. Save the changes.
9. Restart CA SPS service.
The following example shows the List of Providers section of the java.security file after you configure the JVM:
security.provider.1=sun.security.provider.Sun
security.provider.2=com.rsa.jsafe.provider.JsafeJCE
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
security.provider.10=sun.security.mscapi.SunMSCAPI
com.rsa.cryptoj.fips140initialmode=NON_FIPS140_MODE
If you are still getting the following error in STS log:
ERROR [sts=Office365] [txn=] [com.netegrity.tm.contenthelper.api.ContentHelperService] JsafeJCE is not installed as a security provider - this is an unsupported configuration
Perform the following:
Update SmSpsProxyEngine.properties file (resides under SPS_home\proxy-engine\conf file directory), include the ‘%NETE_SPS_ROOT%\agentframework\java\cryptoj.jar’ in the –classpath
OR
Copy cryptoj.jar file from <SPS>\agentframework\java to <JDK>\jre\lib\ext file directory.
Restart CA SPS service.