000037352 - Issue deploying RSA Adaptive Authentication (on Premise) 7.3 on WebLogic 12c with JAVA 1.8_161

Document created by RSA Customer Support Employee on Apr 17, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037352
Applies ToRSA Product Set: Adaptive Authentication (OnPrem)
RSA Version/Condition: 7.3 x
App Server: WebLogic 12c
Java version: 1.8 update 161

 
IssueWe are currently trying to upgrade our AAOP 7.1 to 7.3.
When we try to deploy any .war AFTER AdaptiveAuthentication.war, we get a weird error message and after that, we are not able to change any settings or deploy other apps in weblogic 12c. We are using WebLogic 12c with JAVA 1.8_161.
 

####<26-Mar-2019 3:51:58 o'clock PM EDT> <Warning> <Deployer> <dsuniwcp01> <AdminServer>
<[ACTIVE] ExecuteThread: '25' for queue: 'weblogic.kernel.Default (self-tuning)'>
<<WLS Kernel>> <> <813ae300-1325-49e6-ae07-c5bb27a59b85-00000057> <1553629918559>
<[severity-value: 16] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] >
<BEA-149078> <Stack trace for message 149004

java.rmi.RemoteException: [Deployer:149150]An IOException occurred while reading the input.; nested exception is:
                javax.net.ssl.SSLHandshakeException: Unsupported curveId: 65535
                at weblogic.deploy.service.internal.transport
.http.HTTPMessageSender.sendMessageToServerURL(HTTPMessageSender.java:365)
                at weblogic.deploy.service.internal.transport.http.HTTPMessageSender.sendMessage
ToTargetServer(HTTPMessageSender.java:129)
                at weblogic.deploy.service.internal.transport.CommonMessageSender$1.
run(CommonMessageSender.java:303)


 
ResolutionCause:

This occurs due to a Java bug, explained in the links below:

https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8148516
https://bugs.openjdk.java.net/browse/JDK-8176479
https://bugs.openjdk.java.net/browse/JDK-8148516

Improve the default strength of EC in JDK To improve the default strength of EC cryptography, EC keys less than 224 bits have been deactivated in certification path processing (via the jdk.certpath.disabledAlgorithms Security Property) and SSL/TLS connections (via the jdk.tls.disabledAlgorithms Security Property) in JDK. Applications can update this restriction in the Security Properties and permit smaller key sizes if really needed (for example, "EC keySize < 192"). EC curves less than 256 bits are removed from the SSL/TLS implementation in JDK. The new System Property, jdk.tls.namedGroups, defines a list of enabled named curves for EC cipher suites in order of preference. If an application needs to customize the default enabled EC curves or the curves preference, please update the System Property accordingly. For example:

jdk.tls.namedGroups="secp256r1, secp384r1, secp521r1"
Note that the default enabled or customized EC curves follow the algorithm constraints. For example, the customized EC curves cannot re-activate the disabled EC keys defined by the Java Security Properties.
See JDK-8148516

Workaround:

Disable ECC or use Java 1.8 update 112 or lower version

-Dcom.sun.net.ssl.enableECC=false

Attachments

    Outcomes