000029578 - A description of crypto .jars and which ones to use for RSA Access Manager 6.2, IBM WebSphere Application Server (WAS), Trust Association Interceptors (TAI) and FIPS

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support on Feb 1, 2018
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000029578
Applies ToRSA Product Set: ClearTrust
RSA Product/Service Type: Access Manager
RSA Version/Condition: 6.2
RSA Product/Service Type: Access Manager TAI for WebSphere 8.5

RSA Version/Condition: 5.0 SP1 
 
Issue

Symptoms on RSA Access Manager server



  • The servers fail to start or connect to the RSA Access Manager Agent(s)
  • SSL errors
  • Encryption errors on startup.

Symptoms on WebSphere with Trust Association Interceptors (TAIs)



  • WebSphere may not start or cannot connect. 
  • If the correct .jars in are place, when enabling FIPS on the WebSphere Console TAI, cannot connect to dispatcher/aservers.

 
Cause

There can be several reasons for this issue:



  • The presence of two conflicting jars in the install/classpath for both server side and TAI issues.
  • In TAI, enabling WebSphere FIPS conflicts with RSA Access Manager aserver dispatcher.
Resolution

Q:  Should the jcm-6.1.jar and jcmFIPS-6.1.jar not be in this directory at the same time?  


A:  Either the jcm-6.1 or jcmFIPS-6.1 jar should be present in the directory, but not both.  In the TAI, once we retrieve the username from the cookie/header we create a runtimeAPI to validate the details.
 

Q:  What were the old 6.1.0 .jars and which are the current ones?  Which replaced which?



A:  With WAS 6.1, we supported only the RSA Access Manager Agent 4.7.  There was no FIPS support in them.  We introduced FIPS in the RSA Access Manager Agent 4.7 SP1, as noted below:




  • With RSA Access Manager Agent 5.0 and 5.0 SP1, the following BSAFE .jars were packaged (Compatible FIPS Version:  Server 6.2 and 6.2.1):

  • cryptojce-6.1.jar
  • cryptojcommon-6.1.jar
  •  jcm-6.1.jar
  • jcmFIPS-6.1.jar

  • With RSA Access Manager Agent 4.7 SP1 (Compatible FIPS Version: Server 6.1.4):


    • cryptoj-5.0.jar
    • cryptojFIPS-5.0.jar

  • With RSA Access Manager Agent 4.7 (No FIPS support):

  • jsafe.jar
  • jsafeJCE.jar
  • rsajsse.jar
  • sslj.jar


Q: If one wanted to use WLS in FIPS mode with the TAI, would FIPS have to be enabled on the aserver as well?


A:  Yes, if there are FIPS .jars on the WAS, then the same should be enabled on server as well.  Again, we need to ensure the same version of BSAFE .jars are present on both agent and server.
NotesThis may be a related error:
 
015-02-04 08:06:54 -0500 - [10784] - <Critical> - Error creating Runtime API connection: request to axmqaas.geisinger.edu:5608 failed [CT_REPLY_PARSE_ERROR]
There was a similar issue with WebAgents. Refer - CTAG-4965

 

Not sure, it could be a compatibility issue.

===============================================================

The install and configuration guide for appserver agents 5.0 and 5.0 SP1 have incorrect installation instructions.  It specifies for you to install both the jcm and jcmFIPS jars.  This is incorrect.  You either install one or the other depending if you want FIPS.  This is the INCORRECT text, notice the jcm and jcmFIPS. Only one should be present.  From the guide,
 


Place the following .jar files in the WASBASE/lib/ext directory:


  • axm-admin-api-6.2.1.jar
  • axm-runtime-api-6.2.1.jar
  • axm-appagent-common-5.1.jar
  • axm-was-agent-api-5.0.1.jar
  • axm-was-agent-portal-api-5.0.1.jar
  • aspectjrt-1.7.3.jar
  • cryptojce-6.1.jar
  • cryptojcommon-6.1.jar
  • CSP-3.1.jar
  • CSPJNI-3.1.jar jcm-6.1.jar 
  • jcmFIPS-6.1.jar
  • LB-3.1.jar
  • LBJNI-3.1.jar
  • log4j-1.2.17.jar

Attachments

    Outcomes