0

I read that IBM's cryptography modules are incompatible with Sun modules, but I don't know how to force IBM WebSphere (WAS7) to use Sun modules.

java.lang.ClassCastException: com.ibm.crypto.provider.TDCNP incompatible with javax.crypto.CipherSpi
    at javax.crypto.Cipher.getInstance(Unknown Source)
    at javax.crypto.Cipher.getInstance(Unknown Source)

I have a JAR file called iaik_jce_full.jar which should supposedly work (it works elsewhere but not in WAS).

I tried to work around this by adding the Sun libraries to my project, but it seems WebSphere loads its own java classes before the application's, even if the class loader PARENT_LAST setting is used.

This is from the first link. I have tried the same and I am using the "parent last" setting already.

The Websphere installation comes with a ibmjceprovider.jar file which contains the offending class TDCNP.

How do I fix this problem?

Community
  • 1
  • 1
ADTC
  • 8,999
  • 5
  • 68
  • 93
  • Maybe you could remove that `iaik_jce_full.jar` from your application, since WebSphere provides JCE implementation. Check [this page](http://www-01.ibm.com/support/knowledgecenter/SSYKE2_6.0.0/com.ibm.java.security.component.60.doc/security-component/JceDocs/algorithms.html) for supported algorithms. – Gas Jun 03 '15 at 09:40
  • Otherwise you will need to add your provider to the `WAS_HOME\lib\security\java.security` file and add provider jar to the jdk `lib\ext` folder – Gas Jun 03 '15 at 09:46
  • @Gas The algorithm used is `DESede/CBC/NoPadding` which doesn't appear supported by WebSphere's JCE and that's why we need `iaik_jce_full.jar` (or I could be wrong). When you say "add your provider" you mean I should add the `iaik_jce_full.jar` file to the mentioned path and include the jar file name in the `java.security` file? – ADTC Jun 04 '15 at 04:41
  • Move `iaik_jce_full.jar` from your application to the `WebSphere\AppServer\java\jre\lib\ext` and add `security.provider.Y=your.provider.full.package.name` to the `java.security` file, where Y would be the next available number. – Gas Jun 04 '15 at 07:45
  • @Gas I tried adding `security.provider.1=iaik.security.provider.IAIK` to `java.security` file and the whole WAS7 stopped working. When changed to `security.provider.2` (re-ordering in the original list), WAS7 resumed working again, but the problem is not resolved. I had also tried `13` (next available number), `6` (middle of existing list), `3` etc, but the result is same. The `jar` file is in `java\jre\lib\ext` folder as mentioned. – ADTC Jun 04 '15 at 07:50
  • So if this doesn't work, you would have to contact developers of the provider for detailed instructions as in general using external providers is not supported in WebSphere see - [Support For Sun's JSSE or JCE Provider In WebSphere Application Server](http://www-01.ibm.com/support/docview.wss?uid=swg21107270) – Gas Jun 04 '15 at 07:57
  • 1
    I'm running sample from [here](https://www-01.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.71.doc/security-component/JceDocs/supported_algorithms.html) and using `Java(TM) SE Runtime Environment 1.6 (build pwi3260_26sr5ifix-20130314_01(SR5+IV36426 +IV37656+IV37419+IV38029))`. I see the following `Cipher.3DES = DESede` `Cipher.DESede/CBC/NoPadding = TripleDES/CBC/NoPadding` in the supported algorithm list, so you may try whether it will work for you. – Gas Jun 04 '15 at 08:35
  • Not really sure what to make of this, but we removed the `javax.crypto` package from the `iaik_jce_full.jar` archive and this **resolved the problem**. This package contained the `javax.crypto.CipherSpi` class which is being reported as incompatible by the quoted exception. *What really happened, I don't know. All I know is that, this is a solution that works.* (We are going to check whether the package removal would break something else by regression.) – ADTC Jun 04 '15 at 10:33

0 Answers0