This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SecurID® Governance & Lifecycle Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.

Oracle AFX connector message "DH Parameters without subprime Q are not FIPS 140 approved" in RSA Governance & Lifecycle

Article Number

000067908

Applies To

This is a known issue in the following versions when using an AFX Connector to an Oracle database that uses encryption:

  • RSA Identity Governance & Lifecycle - 7.2.1 P06
  • RSA Identity Governance & Lifecycle - 7.5.0 P03
  • SecurID Governance & Lifecycle - 7.5.2 GA

Issue

The following message is displayed when testing an Oracle Database AFX Connector: 
Failed connector settings test
Connection error: java.security.InvalidAlgorithmParameterException: DH Parameters without subprime Q are not FIPS 140 approved, specify using DSAParameterSpec or X942DHParameterSpec (java.lang.RuntimeException)

Image descriptionImage description
 

Cause

The error is generated when the target Oracle Database using Oracle Database Native Network Encryption (NNE) requests (ENCRYPTION=required) but does not enforce FIP 140 encryption level.

Current versions of AFX support and enforce FIPS 140 encryption if encryption is requested.  Lower levels of encryption are considered insecure and are not allowed.

Resolution

This issue is resolved in the following version which deprecates 1024 bit DHE encryption types that cause FIPS 140 compatibility issues. 
  • RSA Governance & Lifecycle 8.0
(Note that RSA Governance & Lifecycle version 8.0 has not been released at the time of authoring this knowledgebase article.)

Workaround

1.  This may be resolved by using FIPS 140 mode for the Oracle encryption.  For most customers this is not practicable.

2.  Another option is to disable Encryption between AFX and the Oracle Database server.

If you encountered the error described in this article, Oracle NNE encryption is enabled on the Oracle server but the Oracle listener may be configured to support encryption at three levels (accepted | requested | required).

If the Oracle listener is configured with SQLNET.ENCRYPTION_SERVER = REQUIRED, there is no solution.

If the Oracle listener is configured with ALLOWED or ACCEPTED, and the Oracle database is 21c (Note1) or later, it is possible to configure the AFX server to negotiate an unencrypted session.

a.  Modify the AFX startup configuration by editing /home/oracle/AFX/esb/conf/wrapper.conf

b.  Add the following line (the ordinal number 10 represents the latest line in the file, increment this number if required when there already is an item number 10 in the configuration file):

wrapper.java.additional.10=-Doracle.net.encryption_client=rejected

c.  Restart AFX for this to take effect.

This setting will be overwritten if AFX is redeployed.
Ensure you remove this line to reenable encryption once you upgrade to a version where encryption is supported.

Note1.  Oracle intends to back port the feature that allows for client negotiation of the encryption to Oracle 19c but it is unclear what patch level this will be done in.  At the time of writing this improvement had not been back ported to Oracle 19.14.0.0.0.  This feature may work on later patches of Oracle 19c.  Contact Oracle Customer Support for more specific information.

0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
2 weeks ago
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.