Layer 7 Access Management

Tech Tip : CA Single Sign-On : Registring Agent for JBoss, I get the error "Unsupported algorithm, MD5, selected for FIPS140 mode: FIPS140"

  • 1.  Tech Tip : CA Single Sign-On : Registring Agent for JBoss, I get the error "Unsupported algorithm, MD5, selected for FIPS140 mode: FIPS140"

    Posted 06-02-2017 03:48 AM

    Issue:

     

    I'm trying to register the Agent for JBoss to the Policy Server, and the registration fails giving the following output :

     

    [root@linux-U171282 bin]# ./smreghost.sh -i myps.test.com -u siteminder -p mypassword -hn myagent -hc myagent -cf COMPAT -o
    Exception in thread "main" java.lang.ExceptionInInitializerError
     at javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:318)
     at javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:263)
     at javax.crypto.JceSecurity.access$000(JceSecurity.java:48)
     at javax.crypto.JceSecurity$1.run(JceSecurity.java:81)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:78)
     at javax.crypto.Cipher.getInstance(Cipher.java:653)
     at com.ca.siteminder.sdk.agentapi.crypto.ap.f(DashoA10*..:1203)
     at com.ca.siteminder.sdk.agentapi.crypto.ar.<init>(DashoA10*..:72)
     at com.ca.siteminder.sdk.agentapi.crypto.ap.a(DashoA10*..:203)
     at com.ca.siteminder.sdk.agentapi.connection.a3.<clinit>(DashoA10*..:86)
     at com.ca.siteminder.sdk.agentapi.w.a(DashoA10*..:128)
     at com.ca.siteminder.sdk.agentapi.SmRegHost.a(DashoA10*..:577)
     at com.ca.siteminder.sdk.agentapi.SmRegHost.register(DashoA10*..:395)
     at com.ca.siteminder.sdk.agentapi.SmRegHost.main(DashoA10*..:323)
    Caused by: java.lang.SecurityException: Framework jar verification can not be initialized
     at javax.crypto.JarVerifier.<clinit>(JarVerifier.java:189)
     ... 15 more
    Caused by: java.lang.SecurityException: Unsupported algorithm, MD5, selected for FIPS140 mode: FIPS140

     

    How can I solve this problem ?


    Environment:

     

    Agent for JBoss 12.52SP1CR06 with JDK 1.8.0_60 64bit;


    Cause:

     

    In order to use the MD5 algorithm, you should configure the JDK to disable the FIPS140 encryption.


    Resolution:

     

    Edit the /opt/jdk1.8.0_60/jre/lib/security/java.security file to have the following configuration. Be sure the last line with com.rsa.cryptoj is set.

     

      security.provider.1=com.ibm.crypto.provider.IBMJCE
      security.provider.2=com.rsa.jsafe.provider.JsafeJCE
      security.provider.3=sun.security.provider.Sun
      security.provider.4=sun.security.rsa.SunRsaSign
      security.provider.5=sun.security.ec.SunEC
      security.provider.6=com.sun.net.ssl.internal.ssl.Provider
      security.provider.7=com.sun.crypto.provider.SunJCE
      security.provider.8=sun.security.jgss.SunProvider
      security.provider.9=com.sun.security.sasl.Provider
      security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI
      security.provider.11=sun.security.smartcardio.SunPCSC
      com.rsa.cryptoj.fips140initialmode=NON_FIPS140_MODE

     

    KB : TEC1756665