|Applies To||RSA Product Set: BSAFE|
RSA Product/Service Type: SSL-J
|Issue||RSA BSAFE SSL-J throws the following exception:|
javax.net.ssl.SSLException: Error creating premaster secret.
|Cause||There was a cryptographic failure that is preventing the premaster secret from being generated. The current cryptographic operation cannot be completed (fails). |
This failure is typically caused by a configuration error or an attempt to use an unsupported or obsolete cryptographic algorithm or key size. Some examples of causes are:
- JCE Unlimited Strength Jurisdiction Policy Files are required for an algorithm and/or key size that is in use, but they are not installed, or are not installed correctly.
- Use of an unsupported or obsolete cryptographic algorithm, or a cryptographic algorithm that is not supported in the current FIPS mode or FIPS level (1 or 2).
- Use of an unsupported or obsolete key size, or a key size that is not supported in the current FIPS mode or FIPS level (1 or 2).
|Resolution||To resolve the issue,|
- Check that the correct JCE Unlimited Strength Jurisdiction Policy Files are installed in the correct directory for the JRE that is in use. For instructions, refer the Installation Guide for your SSL-J version. For RSA BSAFE SSL-J v6.2.2, that is the RSA BSAFE SSL-J 6.2.2 Installation Guide, section "Install JCE Jurisdiction Policy Files" on page 6. Refer to the SSL-J product documentation for other SSL-J versions.
- Make a note of the cryptographic algorithms and key sizes that have been configured in RSA BSAFE SSL-J and also those that are used in external data that SSL-J is processing, such as local certificates and certificates sent from a remote node, and in SSL/TLS session handshake messages.
- Compare these to the algorithms and keys sizes that are supported by the RSA BSAFE Crypto-J version used by your SSL-J version, according to the Crypto-J product documentation for that Crypto-J version. For RSA BSAFE Crypto-J v6.2.2, the documents to check for this information are:
The Crypto-J version that is used by SSL-J is documented in the Release Notes
for your SSL-J version. Release Notes
are listed in the SSL-J product documentation
|Notes||Refer to the SSL-J Developer's Guide for more information about FIPS 140 (FIPS 140-2) configuration and operation. The Developer's Guide is available in the /doc folder of your SSL-J installation.|