Environment
iPrint Appliance
Situation
After importing a signed certificate thru the MC console into the JVM keystore on the appliance, when logging into iManager and attempting to manage an iPrint object, an error is displayed:
javax.net.ssl.SSLKeyException: RSA premaster secret error
IPP Error: 0x40001
javax.net.ssl.SSLKeyException: RSA premaster secret error
IPP Error: 0x40001
Resolution
1. Download unrestricted JCE policy files from the IBM website:
https://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=jcesdk&lang=en_US&S_PKG=13_01&cp=UTF-8
In the downloaded archive there are two files :
- US_export_policy.jar
- local_policy.jar
These files needs to be copied and need to replace the ones on the appliance. Follow these steps:
Note: Backup the existing files before replacing them
1. Find the tomcat instance which runs iManager
ps -aef | grep "catalina.home=/var/opt/novell/tomcat6"
2. The above command displays the process command line which runs tomcat
e.g.
wwwrun 3422 1 0 22:37 ? 00:00:02 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java -Djava.library.path=/opt/novell/eDirectory/lib64:/var/opt/novell/tomcat6/lib:/usr/lib64 -Dorg.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false -Djavax.net.ssl.trustStore=/var/opt/novell/tomcat6/conf/cacerts -Dcom.ibm.tools.attach.enable=no -Dorg.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false -Djavax.net.ssl.trustStore=/var/opt/novell/tomcat6/conf/cacerts -Dcom.ibm.tools.attach.enable=no -classpath /var/opt/novell/tomcat6/bin/bootstrap.jar:/var/opt/novell/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/var/opt/novell/tomcat6 -Dcatalina.home=/var/opt/novell/tomcat6 -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/opt/novell/tomcat6/temp -Djava.util.logging.config.file=/var/opt/novell/tomcat6/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
3. Note the java which runs this tomcat instance.
e.g.
/usr/lib64/jvm/jre-1.6.0-ibm/bin/java
4. List the lib directory of that java version
e.g.
l /usr/lib64/jvm/jre-1.6.0-ibm/lib/security/
output contains:
US_export_policy.jar -> /etc/alternatives/jce_1.6.0_ibm_us_export_policy
local_policy.jar -> /etc/alternatives/jce_1.6.0_ibm_local_policy
5. check where these policy link points
e.g.
l /etc/alternatives/jce_1.6.0_ibm_us_export_policy
/etc/alternatives/jce_1.6.0_ibm_us_export_policy -> /usr/lib64/jvm-private/java-1_6_0-ibm/jce/unrestricted/US_export_policy.jar
l /etc/alternatives/jce_1.6.0_ibm_local_policy
/etc/alternatives/jce_1.6.0_ibm_local_policy -> /usr/lib64/jvm-private/java-1_6_0-ibm/jce/unrestricted/local_policy.jar
6. Replace the downloaded jars at these locations.
cp <path to downloaded local_policy jar file> /usr/lib64/jvm-private/java-1_6_0-ibm/jce/unrestricted/local_policy.jar
cp <path to downloaded US_export_policy jar file> /usr/lib64/jvm-private/java-1_6_0-ibm/jce/unrestricted/US_export_policy.jar
7. Restart appliance
https://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=jcesdk&lang=en_US&S_PKG=13_01&cp=UTF-8
In the downloaded archive there are two files :
- US_export_policy.jar
- local_policy.jar
These files needs to be copied and need to replace the ones on the appliance. Follow these steps:
Note: Backup the existing files before replacing them
1. Find the tomcat instance which runs iManager
ps -aef | grep "catalina.home=/var/opt/novell/tomcat6"
2. The above command displays the process command line which runs tomcat
e.g.
wwwrun 3422 1 0 22:37 ? 00:00:02 /usr/lib64/jvm/jre-1.6.0-ibm/bin/java -Djava.library.path=/opt/novell/eDirectory/lib64:/var/opt/novell/tomcat6/lib:/usr/lib64 -Dorg.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false -Djavax.net.ssl.trustStore=/var/opt/novell/tomcat6/conf/cacerts -Dcom.ibm.tools.attach.enable=no -Dorg.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false -Djavax.net.ssl.trustStore=/var/opt/novell/tomcat6/conf/cacerts -Dcom.ibm.tools.attach.enable=no -classpath /var/opt/novell/tomcat6/bin/bootstrap.jar:/var/opt/novell/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/var/opt/novell/tomcat6 -Dcatalina.home=/var/opt/novell/tomcat6 -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/opt/novell/tomcat6/temp -Djava.util.logging.config.file=/var/opt/novell/tomcat6/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
3. Note the java which runs this tomcat instance.
e.g.
/usr/lib64/jvm/jre-1.6.0-ibm/bin/java
4. List the lib directory of that java version
e.g.
l /usr/lib64/jvm/jre-1.6.0-ibm/lib/security/
output contains:
US_export_policy.jar -> /etc/alternatives/jce_1.6.0_ibm_us_export_policy
local_policy.jar -> /etc/alternatives/jce_1.6.0_ibm_local_policy
5. check where these policy link points
e.g.
l /etc/alternatives/jce_1.6.0_ibm_us_export_policy
/etc/alternatives/jce_1.6.0_ibm_us_export_policy -> /usr/lib64/jvm-private/java-1_6_0-ibm/jce/unrestricted/US_export_policy.jar
l /etc/alternatives/jce_1.6.0_ibm_local_policy
/etc/alternatives/jce_1.6.0_ibm_local_policy -> /usr/lib64/jvm-private/java-1_6_0-ibm/jce/unrestricted/local_policy.jar
6. Replace the downloaded jars at these locations.
cp <path to downloaded local_policy jar file> /usr/lib64/jvm-private/java-1_6_0-ibm/jce/unrestricted/local_policy.jar
cp <path to downloaded US_export_policy jar file> /usr/lib64/jvm-private/java-1_6_0-ibm/jce/unrestricted/US_export_policy.jar
7. Restart appliance
Cause
The JCE polices shipped with the appliance do not allow certificates with long key size. The unrestricted polices from IBM resolve this problem.