000012297 - FIM 3.1.2 - CryptoJ jar causing signature verification errors with md2 signature algorithm

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000012297
Applies ToRSA Federated Identity Management Module (FIM) 3.1.2
IBM WebSphere 6.0.2
Crypto J jar version 3.5.2 -  jsafeJCEFIPS.jar in security.providers
Certificate caontains an md2RSA hash
IssueFIM 3.1.2  - CryptoJ jar causing signature verification errors with md2 signature algorithm

 signature verification error in system log

2008-05-05 20:52:06,042, (SSOHelper.java:608), uhaps004, , , , SSO top-level profile exception: , com.rsa.fim.exception.ProfileException: The response signature cannot be verified: The message is signed, but the signature cannot be verified

CauseVersion 3.5.2 of CryptoJ is failing the certificate chain check on a cert in the chain with an md2RSA signature algorithm.  This is due to a defect with the 3.5.2 version of the jsafeJCEFIPS.jar  -  Bug 52609 - JCE MD2WithRSA Signature Error 
Resolution

Apply one of the following three solutions:

  1.  Move the jsafeJCEFIPS.jar to the bottom of the security providers list or at least below the IBM versions of Jsafe  com.ibm.crypto.provider.IBMJCE or com.ibm.crypto.fips.provider.IBMJCEFIPS.
  2.  Replace the certs with signature algorithms other than MD2, such as SHA1
  3. Obtain hotfix FIM 3.1.2.5 which uses version 4.0 of the jsafeJCEFIPS. jar and add  "com.rsa.cryptoj.jce.fips140initialmode=NON_FIPS140_MODE" to the bottom of the java.security file.  This will turn off forced FIPS compliance ( added since CRYPTOJ 3.6 version)  which would not of allowed md2 certs to be used.
Legacy Article IDa40388

Attachments

    Outcomes