Oracle AFX connector message "DH Parameters without subprime Q are not FIPS 140 approved" in RSA Governance & Lifecycle
3 years ago
Article Number
000067908
Applies To

This is a known issue in the following versions when using an AFX Connector to an Oracle database that uses encryption:

  • RSA Identity Governance & Lifecycle - 7.2.1 P06
  • RSA Identity Governance & Lifecycle - 7.5.0 P03
  • SecurID Governance & Lifecycle - 7.5.2 GA
Issue
The following message is displayed when testing an Oracle Database AFX Connector: 
Failed connector settings test
Connection error: java.security.InvalidAlgorithmParameterException: DH Parameters without subprime Q are not FIPS 140 approved, specify using DSAParameterSpec or X942DHParameterSpec (java.lang.RuntimeException)

screen2.png
 
Cause

The error is generated when the target Oracle Database using Oracle Database Native Network Encryption (NNE) requests (ENCRYPTION=required) but does not enforce FIP 140 encryption level.

Current versions of AFX support and enforce FIPS 140 encryption if encryption is requested.  Lower levels of encryption are considered insecure and are not allowed.

Resolution
This issue is resolved in the following version which deprecates 1024 bit DHE encryption types that cause FIPS 140 compatibility issues. 
  • RSA Governance & Lifecycle 8.0
(Note that RSA Governance & Lifecycle version 8.0 has not been released at the time of authoring this knowledgebase article.)
Workaround

1.  This may be resolved by using FIPS 140 mode for the Oracle encryption.  For most customers this is not practicable.

2.  Another option is to disable Encryption between AFX and the Oracle Database server.

If you encountered the error described in this article, Oracle NNE encryption is enabled on the Oracle server but the Oracle listener may be configured to support encryption at three levels (accepted | requested | required).

If the Oracle listener is configured with SQLNET.ENCRYPTION_SERVER = REQUIRED, there is no solution.

If the Oracle listener is configured with ALLOWED or ACCEPTED, and the Oracle database is 21c (Note1) or later, it is possible to configure the AFX server to negotiate an unencrypted session.

a.  Modify the AFX startup configuration by editing /home/oracle/AFX/esb/conf/wrapper.conf

b.  Add the following line (the ordinal number 10 represents the latest line in the file, increment this number if required when there already is an item number 10 in the configuration file):

wrapper.java.additional.10=-Doracle.net.encryption_client=rejected

c.  Restart AFX for this to take effect.

This setting will be overwritten if AFX is redeployed.
Ensure you remove this line to reenable encryption once you upgrade to a version where encryption is supported.

Note1.  Oracle intends to back port the feature that allows for client negotiation of the encryption to Oracle 19c but it is unclear what patch level this will be done in.  At the time of writing this improvement had not been back ported to Oracle 19.14.0.0.0.  This feature may work on later patches of Oracle 19c.  Contact Oracle Customer Support for more specific information.

Related Articles

Trending Articles

Don't see what you're looking for?