FIM 3.1.2 - CryptoJ jar causing signature verification errors with md2 signature algorithm
3 years ago
Originally Published: 2008-05-22
Article Number
000040079
Applies To
RSA Federated Identity Management Module (FIM) 3.1.2
IBM WebSphere 6.0.2
Crypto J jar version 3.5.2 -  jsafeJCEFIPS.jar in security.providers
Certificate caontains an md2RSA hash
Issue
FIM 3.1.2  - CryptoJ jar causing signature verification errors with md2 signature algorithm

 signature verification error in system log

2008-05-05 20:52:06,042, (SSOHelper.java:608), uhaps004, , , , SSO top-level profile exception: , com.rsa.fim.exception.ProfileException: The response signature cannot be verified: The message is signed, but the signature cannot be verified


Cause
Version 3.5.2 of CryptoJ is failing the certificate chain check on a cert in the chain with an md2RSA signature algorithm.  This is due to a defect with the 3.5.2 version of the jsafeJCEFIPS.jar  -  Bug 52609 - JCE MD2WithRSA Signature Error 
Resolution

Apply one of the following three solutions:

  1.  Move the jsafeJCEFIPS.jar to the bottom of the security providers list or at least below the IBM versions of Jsafe  com.ibm.crypto.provider.IBMJCE or com.ibm.crypto.fips.provider.IBMJCEFIPS.
  2.  Replace the certs with signature algorithms other than MD2, such as SHA1
  3. Obtain hotfix FIM 3.1.2.5 which uses version 4.0 of the jsafeJCEFIPS. jar and add  "com.rsa.cryptoj.jce.fips140initialmode=NON_FIPS140_MODE" to the bottom of the java.security file.  This will turn off forced FIPS compliance ( added since CRYPTOJ 3.6 version)  which would not of allowed md2 certs to be used.

Related Articles

Trending Articles

Don't see what you're looking for?