Thursday, 18 June 2015

IBM Java 7 and 256-bit AES ciphers - The unrestricted truth

I have written a LOT about TLS 1.2 recently: -

so here's some more grist for that particular mill.

This is again in the context of WAS to DB2 connectivity, where my colleague. John The DBA, and I were looking at the key length of the AES ciphers that we're using.

( For the record, AES is Advanced Encryption Standard, also referenced as Rijndael - source: Wikipedia )

John kindly shared a nice little Java class: -

import javax.crypto.Cipher;
class CipherTest {
    public static void main(String args[]) {
        try {
            int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");
            if(maxKeyLen < 256) {
                System.out.println("FAILED: Max AES key length too small! (" + maxKeyLen + ").");
            } else {
                System.out.println("PASSED: Max AES key length OK! - >= 256 (" + maxKeyLen + ").");
        } catch(Exception e) {
            System.out.println("FAILED: No AES found!");

I compiled this on a box running IBM Java 7 and WAS 8.5.5: -

Name                  IBM WebSphere SDK Java Technology Edition (Optional)
ID                    IBMJAVA7
Build Level           cf051507.01
Build Date            2/19/15
Architecture          x86-64 (64 bit)
Installed Features    IBM WebSphere SDK for Java Technology Edition 7

Installed Product
Name                  IBM WebSphere Application Server Network Deployment
ID                    ND
Build Level           cf051507.01
Build Date            2/20/15
Architecture          x86-64 (64 bit)
Installed Features    IBM 64-bit WebSphere SDK for Java
                      WebSphere Application Server Full Profile
                      EJBDeploy tool for pre-EJB 3.0 modules
                      Embeddable EJB container
                      Sample applications
                      Stand-alone thin clients and resource adapters


having first setup my shell to use the IBM Java 7: -

source /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/bin/ 

I compiled and ran the class: -


java -cp . CipherTest

but, alas, it failed: -

FAILED: Max AES key length too small! (128).

Or, to be more precise, the test worked perfectly, by indicating that, out-of-the-box, the IBM JRE is only happy to accept 128-bit ciphers.

The class uses this code: -


which is part of the javax.crypto.Cipher class.

So, the fact that the class returns 128 tells me a lot about my Java Runtime Environment.

Now, as mentioned in some of my other posts, I can choose to replace the JRE policy files with these: _

which I did choose to do.

This is what I did: -

(a) Establish where Java lives

which java


(b) Navigate to the JRE's security policy library folder

cd /opt/IBM/WebSphere/AppServer/java_1.7_64/jre/lib/security

(c) Backup the existing policy files

mv local_policy.jar  local_policy.RAJ
mv US_export_policy.jar  US_export_policy.RAJ

(d) Unpack the unrestricted policy files: -

unzip /tmp/ 

( This all done as wasadmin who "owns" the WAS binaries and configuration )

I then re-tested my class: -

java -cp . CipherTest

which now returns: -

PASSED: Max AES key length OK! - >= 256 (2147483647).

Now I need to replicate this on my AIX environment, and also trace the connectivity between WAS and DB2 to see which particular cipher suite is being chosen.

Which is nice :-)

No comments:

Note to self - using the CRI tool - crictl - to clean up unready pods

 Purely 'cos I know I'll need this again: - for i in `crictl pods | grep NotReady | awk '{print $1}'`; do crictl rmp $i; don...