You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by ma...@fsb.se on 2006/05/04 13:21:39 UTC

PROBLEM INSTALLING BOUNCYCASTLE IN WEBSPHERE 5.1.2 ENVIROMENT

Hi

I am currently using 1.1.0 and if you have made the changes in 1.5.0 to remove the explicit "BC" provider and moved the BC provider to the highest possible position this means the 1.5.0 properly would crach a Websphere 5.1.2 server during startup. I know it is a large contradicition to the JCE specs but that's not the first strange behaviour I came across in Websphere (or Webfear as I call it). 

But it's strange that when I request a XMLChiper with transformation http://www.w3.org/2001/04/xmlenc#tripledes-cbc that later converts to the following JCE algoritms DESede/CBC/ISO10126Padding the Chiper.getInstance("DESede/CBC/ISO10126Padding") returns a IBM chiper from one of its providers as it's stated before BouncyCastle in java.security. This according to JCE specs means that the implemenation should support the algorithms that was asked for, I am right? But obviously the implementation does support ISO10126Padding as it later on throws a NoSuchPaddingException. This must be a fault in the IBM provider? If you agree I am going to file a report on this for IBM.

I made changes to the 1.1.0 code so when a XMLChiper is created I am using the getProviderInstance and not the getInstance method. That is I make sure that JCE returns the BouncyCastle provider. With these changes I get WSS4J to work under a WebSphere 5.1.2 enviroment. The BouncyCastle provider is at location 4 in the java.security file.

About the needed changes for 1.5.0 to make it work under websphere I would say that to configuration values are needed. One that states the first highest possible number where a provider can be inserted. And a configuration values that states the prefered provider to be used. If it's null or not specified the code will use the JCE default lookup. Do you see any problem with this solution, if ignoring the need to code specificly for WebSphere that doesn't follow the JCE spec?

Regards,
Markus


-----Ursprungligt meddelande-----
Från: Dittmann, Werner [mailto:werner.dittmann@siemens.com] 
Skickat: den 4 maj 2006 08:56
Till: Markus Backman; wss4j-dev@ws.apache.org
Kopia: David Hook
Ämne: AW: [dev-crypto] PROBLEM INSTALLING BOUNCYCASTLE IN WEBSPHERE 5.1.2 ENVIROMENT


Markus, all, 

in WSS4J 1.5.0 we removed the explicit "BC" provider when loading a Cipher or other crypto stuff. We try to load the BC and/or JuiCE provider dynamically:

- in WSConfig we try to load the BC provider and put it on the
  highest possible position (that number 2) on the provider list

- then we check if JuiCE provider is available (the Apache JuiCE
  JCE provider that uses the openSSL crypto library). If available
  put it on highest possible position

This function looks up provider classes in the CLASSPATH. If a provider class is not found this provider is silently ignored.

Thus is both providers are available we have:
- JuiCE on position 2, BC on poisition 3. If only BC is
  available BC is on position 2.

When load a Cipher class we relay on the JCE lookup mechanisms hat uses the topmost provider that offers the algorithm. We did that because we try to have those providers on top that offer all algos we need, or in case of JuiCE the fastest provider.

Reading the mail thread below it could be that we may run into problems with this WebSphere version because we put the BC and/or JuiCE on position 2 in the list - and it seems that WebSphere doesn't like that. And this is, AFAIK, in contradicition to the JCE specs. Maybe we need to implement a configuration parameter the defines "which position to use when dynamically inserting JCE providers". 

Regards,
Werner


> -----Ursprüngliche Nachricht-----
> Von: Markus Backman [mailto:markus@umeweb.com]
> Gesendet: Donnerstag, 4. Mai 2006 08:00
> An: wss4j-dev@ws.apache.org
> Cc: David Hook
> Betreff: Re: [dev-crypto] PROBLEM INSTALLING BOUNCYCASTLE IN
> WEBSPHERE 5.1.2 ENVIROMENT
> 
> Hi
> 
> I have tried to change the location of the bouncycastle jar, in the 
> ext lib, the war files lib dir and the ear. Nothing seams to
> work. The wss4j 
> code used the following to get the padding mechanism (as far as I can 
> tell. I am going to takes this on their dev mailinglist also).
> 
> Cipher.getInstance("RSA/NONE/OAEPPADDING", "BC");
> 
> So it mentions the BC as provider so it must be something that is 
> wrong with the Websphere 5.1.2 enviroment. A possible solution is to 
> make changes to the wss4j code to ignore BC and use algorithm 
> supported by IBM JCE. But I havn't investigated the amount of work 
> this would require.
> 
> I also been in contact with Benjamin Francioni that posted the first 
> question about websphere and bouncycastle on this mailinglist (link in
> my previous mail). And he didn't find any solution to the 
> problem so he 
> used jakarta tomcat instead. Below is a cut from he's answer:
> 
> Unfortunately, I didn't solve this problem:
> IBM JRE doesn't support this algo.
> IBM JRE doesn't support BouncyCastle that implements this algo. IBM
> support wasn't able to help me . So I decided myself to use Tomcat 
> with a Sun JVM.
> 
> 
> So it seams that this is a very annoying limit in the IBM websphere 
> product. Hopefully I will get some form of response for this problem 
> by IBM and put some pressure on them to make it work in future
> versions so 
> that Bouncycastle can be used also under a IBM jre.
> 
> Regards,
> Markus
> 
> David Hook wrote:
> 
> >The only thing I can suggest is it's a class loader issue,
> although I've
> >no idea how it would be caused. Does your use of the padding
> mechanism
> >explicitly mention BC? That might help, other than that I'd
> try moving
> >the provider jar around if possible.
> >
> >Regards,
> >
> >David
> >
> >On Wed, 2006-05-03 at 17:25 +0200, Markus Backman wrote:
> >  
> >
> >>Hi
> >>
> >>The problem I have encountered was during a development of a WSS4J 
> >>(Web Service Security four Java) based Web Service. WSS4J has 
> >>requirement that BouncyCastle is availible as a provider.
> The following
> >>description states the enviroment and the development
> process not only
> >>for the use of bouncycastle but also the WSS4J.
> >>
> >>I have successfully managed to secure an Axis based Web
> Service with
> >>WSS4J. During the development I used SUNs JDK1.4.2_11 and
> Jakarta Tomcat
> >>5.0.30. I ran the test client and the deployed Web Service
> on the same
> >>machine both running under jre1.4.2_11. This due to make
> sure that it
> >>ran on the only requirement we have on the client platform,
> jre1.4.2 or
> >>later. This testcases worked fine. But as the company I
> work for has
> >>Websphere 5.1 as J2EE servers I started to move the Web
> Service to WSAD
> >>and a Websphere 5.1 server. When doing so I ran into a
> problem. I know
> >>WSS4J has a requriment on BouncyCastle so I started with
> updating the
> >>java.security file under the IBM 1.4 jre Websphere 5.1 is
> running on. I
> >>added the BouncyCastle provider as number 4, as number one
> needs to be
> >>suns default and 2 and 3 needs to be to IBM providers as the server 
> >>would start otherwise, and started the server. I ran the 
> >>testclient(under SUNs jre 1.4.2_11)  again but recieved the
> following
> >>exception on the server.
> >>
> >>"Original Exception was
> javax.crypto.NoSuchPaddingException: Padding:
> >>ISO10126Padding not implemented"
> >>
> >>A quick check on BouncyCastles website stated that
> ISO10126Padding is
> >>implemented. So the BouncyCastle provider can't be
> correctly installed
> >>on the Websphere 5.1 server. A google later showed that a
> small number
> >>of people encountered this before, but with no description
> on what the
> >>solution are, for example:
> >>
> >>http://article.gmane.org/gmane.comp.encryption.bouncy-castle
> .devel/2378/match=com+ibm+security+bootstrap+jdkmessagedigest+sha1
> >>
> >>Has anyone successfully deployed BouncyCastle in a Websphere 5.1.2 
> >>enviroment? If so how did you set up your java.security file?
> >>
> >>I am using WSS4J 1.1.0 that ships with
> bcprov-jdk13-128.jar. I have placed
> >>it in the ext lib under the IBM jre(1.4) that runs the 5.1.2 server.
> >>
> >>I am desperate for some assistance.
> >>
> >>Thanks
> >>Markus
> >>
> >>
> >>    
> >>
> >
> >
> >  
> >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org