Thursday, 18 June 2015

IBM Java 7 and 256-bit AES ciphers - The unrestricted truth

I have written a LOT about TLS 1.2 recently: -








so here's some more grist for that particular mill.

This is again in the context of WAS to DB2 connectivity, where my colleague. John The DBA, and I were looking at the key length of the AES ciphers that we're using.

( For the record, AES is Advanced Encryption Standard, also referenced as Rijndael - source: Wikipedia )

John kindly shared a nice little Java class: -

CipherTest.java

import javax.crypto.Cipher;
class CipherTest {
    public static void main(String args[]) {
        try {
            int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");
            if(maxKeyLen < 256) {
                System.out.println("FAILED: Max AES key length too small! (" + maxKeyLen + ").");
            } else {
                System.out.println("PASSED: Max AES key length OK! - >= 256 (" + maxKeyLen + ").");
            }
        } catch(Exception e) {
            System.out.println("FAILED: No AES found!");
        }
    }
}


I compiled this on a box running IBM Java 7 and WAS 8.5.5: -

...
Name                  IBM WebSphere SDK Java Technology Edition (Optional)
Version               7.0.8.10
ID                    IBMJAVA7
Build Level           cf051507.01
Build Date            2/19/15
Package               com.ibm.websphere.IBMJAVA.v70_7.0.8010.20150219_1802
Architecture          x86-64 (64 bit)
Installed Features    IBM WebSphere SDK for Java Technology Edition 7

...
Installed Product
--------------------------------------------------------------------------------
Name                  IBM WebSphere Application Server Network Deployment
Version               8.5.5.5
ID                    ND
Build Level           cf051507.01
Build Date            2/20/15
Package               com.ibm.websphere.ND.v85_8.5.5005.20150220_0158
Architecture          x86-64 (64 bit)
Installed Features    IBM 64-bit WebSphere SDK for Java
                      WebSphere Application Server Full Profile
                      EJBDeploy tool for pre-EJB 3.0 modules
                      Embeddable EJB container
                      Sample applications
                      Stand-alone thin clients and resource adapters

...


having first setup my shell to use the IBM Java 7: -

source /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/bin/setupCmdLine.sh 

I compiled and ran the class: -

javac CipherTest.java

java -cp . CipherTest

but, alas, it failed: -

128
FAILED: Max AES key length too small! (128).


Or, to be more precise, the test worked perfectly, by indicating that, out-of-the-box, the IBM JRE is only happy to accept 128-bit ciphers.

The class uses this code: -

Cipher.getMaxAllowedKeyLength

which is part of the javax.crypto.Cipher class.

So, the fact that the class returns 128 tells me a lot about my Java Runtime Environment.

Now, as mentioned in some of my other posts, I can choose to replace the JRE policy files with these: _


which I did choose to do.

This is what I did: -

(a) Establish where Java lives

which java

/opt/IBM/WebSphere/AppServer/java_1.7_64/bin/java

(b) Navigate to the JRE's security policy library folder

cd /opt/IBM/WebSphere/AppServer/java_1.7_64/jre/lib/security

(c) Backup the existing policy files

mv local_policy.jar  local_policy.RAJ
mv US_export_policy.jar  US_export_policy.RAJ

(d) Unpack the unrestricted policy files: -

unzip /tmp/unrestrictedpolicyfiles.zip 

( This all done as wasadmin who "owns" the WAS binaries and configuration )

I then re-tested my class: -

java -cp . CipherTest

which now returns: -

2147483647
PASSED: Max AES key length OK! - >= 256 (2147483647).

Now I need to replicate this on my AIX environment, and also trace the connectivity between WAS and DB2 to see which particular cipher suite is being chosen.

Which is nice :-)

No comments: