Environment
Novell GroupWise 2012
Novell Open Enterprise Server 11 (OES 11) Linux
Novell Open Enterprise Server 2 (OES 2) Linux
Situation
After securing the SOAP protocol on a POA, users get following error when trying to login via WebAccess:
"[9505]Your Postoffice is unavailable. The Post Office Agent might not be configured for SOAP. Please contact your system administrator."
Resolution
Alike the Cause section indicated, the problem is with present shipped java modules of IBM which has restrictions set. You can get this problem fixed by following procedure:
1.Go to the following website:
http://www.ibm.com/developerworks/java/jdk/security/index.html.
http://www.ibm.com/developerworks/java/jdk/security/index.html.
2.Click Java SE 7 or newer link showed on the page.
3. Click on "original pages" link in a section "Depreciated Documentation" which opens a new site.
4. Find a section "IBM SDK Policy files" and click on the IBM SDK Policy files link. This brings you to "The Unrestricted JCE Policy files" website.
5. Click Sign in and provide your IBM ID and password or register with IBM to download the files.
6. Select Unrestricted JCE Policy files for SDK for all newer versions (version 1.4.2 and higher) and click Continue.
7. View the license agreement and then click I Agree.
8. Click Download Now. /usr/lib64/jvm/java-1_6_0-ibm-1.6.0/jre/lib/security
9. Install the files:
a) Extract the file: unrestricted.zip into a directory of your choice in Windows.
b) Copy/FTP the two .jar files (local_policy.jar and US_export_policy.jar) from the extraction directory to a
directory on your server &JAVA_HOME/jre/lib/security. In case of OES11 this might be:
a) Extract the file: unrestricted.zip into a directory of your choice in Windows.
b) Copy/FTP the two .jar files (local_policy.jar and US_export_policy.jar) from the extraction directory to a
directory on your server &JAVA_HOME/jre/lib/security. In case of OES11 this might be:
/usr/lib64/jvm/java-1_6_0-ibm-1.6.0/jre/lib/security
or simply search for a location of the local_policy.jar on your server.
10. Restart tomcat / java on the server.
Cause
When you created a private key and CSR files you were using GroupWise gwcsrgen tool shipped with Windows edition of GroupWise software. You have specified a key length 4024 instead of default 1024.
The problem is caused by IBM java modules installed with a SLES as a platform for the OES Add-On product. On Windows servers that use Sun Java this problem is not present.
There is a bug / limitation of IBM java:
"The cause of this problem were that the key size on the server size for the SHA512 certificate 4096 bits. This was too large for the IBM JDK unless using the unrestricted policy file. When the MD5 cert is used it appears to be of 1024 bits, however when using the SHA512 the cert is of 4096 bits.
In accordance with the United States of America export restrictions, Java that is bundled with the server has limited encryption key sizes that can be used in the server operation. In order to successfully convert signed client certificates for use in the server, you have to replace the bundled encryption policy files with the unrestricted files published by IBM. This is called "Unrestricted JCE Policy files for SDK"."
In accordance with the United States of America export restrictions, Java that is bundled with the server has limited encryption key sizes that can be used in the server operation. In order to successfully convert signed client certificates for use in the server, you have to replace the bundled encryption policy files with the unrestricted files published by IBM. This is called "Unrestricted JCE Policy files for SDK"."