000035431 - RSA BSAFE SSL-J reports "Error creating premaster secret"

Document created by RSA Customer Support Employee on Aug 5, 2017Last modified by RSA Customer Support on Jul 2, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035431
Applies ToRSA Product Set: BSAFE
RSA Product/Service Type: SSL-J

IssueRSA BSAFE SSL-J throws the following exception:

javax.net.ssl.SSLException: Error creating premaster secret.
CauseThere was a cryptographic failure that is preventing the premaster secret from being generated. The current cryptographic operation cannot be completed (fails).  

This failure is typically caused by a configuration error or an attempt to use an unsupported or obsolete cryptographic algorithm or key size.  Some examples of causes are:
  • JCE Unlimited Strength Jurisdiction Policy Files are required for an algorithm and/or key size that is in use, but they are not installed, or are not installed correctly.
  • Use of an unsupported or obsolete cryptographic algorithm, or a cryptographic algorithm that is not supported in the current FIPS mode or FIPS level (1 or 2).
  • Use of an unsupported or obsolete key size, or a key size that is not supported in the current FIPS mode or FIPS level (1 or 2).
ResolutionTo resolve the issue,
  1. Check that the correct JCE Unlimited Strength Jurisdiction Policy Files are installed in the correct directory for the JRE that is in use.  For instructions, refer the Installation Guide for your SSL-J version.  For RSA BSAFE SSL-J v6.2.2, that is the RSA BSAFE SSL-J 6.2.2 Installation Guide, section "Install JCE Jurisdiction Policy Files" on page 6.  Refer to the SSL-J product documentation for other SSL-J versions.
  2. Make a note of the cryptographic algorithms and key sizes that have been configured in RSA BSAFE SSL-J and also those that are used in external data that SSL-J is processing, such as local certificates and certificates sent from a remote node, and in SSL/TLS session handshake messages.
  3. Compare these to the algorithms and keys sizes that are supported by the RSA BSAFE Crypto-J version used by your SSL-J version, according to the Crypto-J product documentation for that Crypto-J version.  For RSA BSAFE Crypto-J v6.2.2, the documents to check for this information are:

The Crypto-J version that is used by SSL-J is documented in the Release Notes for your SSL-J version.  Release Notes are listed in the  SSL-J product documentation.
NotesRefer to the SSL-J Developer's Guide for more information about FIPS 140 (FIPS 140-2) configuration and operation.  The Developer's Guide is available in the /doc folder of your SSL-J installation.