I have written a LOT about TLS 1.2 recently: -
import javax.crypto.Cipher;
class CipherTest {
public static void main(String args[]) {
try {
int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");
if(maxKeyLen < 256) {
System.out.println("FAILED: Max AES key length too small! (" + maxKeyLen + ").");
} else {
System.out.println("PASSED: Max AES key length OK! - >= 256 (" + maxKeyLen + ").");
}
} catch(Exception e) {
System.out.println("FAILED: No AES found!");
}
}
}
having first setup my shell to use the IBM Java 7: -
java -cp . CipherTest
128
FAILED: Max AES key length too small! (128).
2147483647
PASSED: Max AES key length OK! - >= 256 (2147483647).
so here's some more grist for that particular mill.
This is again in the context of WAS to DB2 connectivity, where my colleague. John The DBA, and I were looking at the key length of the AES ciphers that we're using.
( For the record, AES is Advanced Encryption Standard, also referenced as Rijndael - source: Wikipedia )
John kindly shared a nice little Java class: -
CipherTest.java
import javax.crypto.Cipher;
class CipherTest {
public static void main(String args[]) {
try {
int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");
if(maxKeyLen < 256) {
System.out.println("FAILED: Max AES key length too small! (" + maxKeyLen + ").");
} else {
System.out.println("PASSED: Max AES key length OK! - >= 256 (" + maxKeyLen + ").");
}
} catch(Exception e) {
System.out.println("FAILED: No AES found!");
}
}
}
I compiled this on a box running IBM Java 7 and WAS 8.5.5: -
...
Name IBM WebSphere SDK Java Technology Edition (Optional)
Version 7.0.8.10
ID IBMJAVA7
Build Level cf051507.01
Build Date 2/19/15
Package com.ibm.websphere.IBMJAVA.v70_7.0.8010.20150219_1802
Architecture x86-64 (64 bit)
Installed Features IBM WebSphere SDK for Java Technology Edition 7
...
Name IBM WebSphere SDK Java Technology Edition (Optional)
Version 7.0.8.10
ID IBMJAVA7
Build Level cf051507.01
Build Date 2/19/15
Package com.ibm.websphere.IBMJAVA.v70_7.0.8010.20150219_1802
Architecture x86-64 (64 bit)
Installed Features IBM WebSphere SDK for Java Technology Edition 7
...
Installed Product
--------------------------------------------------------------------------------
Name IBM WebSphere Application Server Network Deployment
Version 8.5.5.5
ID ND
Build Level cf051507.01
Build Date 2/20/15
Package com.ibm.websphere.ND.v85_8.5.5005.20150220_0158
Architecture x86-64 (64 bit)
Installed Features IBM 64-bit WebSphere SDK for Java
WebSphere Application Server Full Profile
EJBDeploy tool for pre-EJB 3.0 modules
Embeddable EJB container
Sample applications
Stand-alone thin clients and resource adapters
...
--------------------------------------------------------------------------------
Name IBM WebSphere Application Server Network Deployment
Version 8.5.5.5
ID ND
Build Level cf051507.01
Build Date 2/20/15
Package com.ibm.websphere.ND.v85_8.5.5005.20150220_0158
Architecture x86-64 (64 bit)
Installed Features IBM 64-bit WebSphere SDK for Java
WebSphere Application Server Full Profile
EJBDeploy tool for pre-EJB 3.0 modules
Embeddable EJB container
Sample applications
Stand-alone thin clients and resource adapters
...
having first setup my shell to use the IBM Java 7: -
source /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/bin/setupCmdLine.sh
I compiled and ran the class: -
javac CipherTest.java
java -cp . CipherTest
but, alas, it failed: -
128
FAILED: Max AES key length too small! (128).
Or, to be more precise, the test worked perfectly, by indicating that, out-of-the-box, the IBM JRE is only happy to accept 128-bit ciphers.
The class uses this code: -
Cipher.getMaxAllowedKeyLength
which is part of the javax.crypto.Cipher class.
So, the fact that the class returns 128 tells me a lot about my Java Runtime Environment.
Now, as mentioned in some of my other posts, I can choose to replace the JRE policy files with these: _
which I did choose to do.
This is what I did: -
(a) Establish where Java lives
which java
/opt/IBM/WebSphere/AppServer/java_1.7_64/bin/java
(b) Navigate to the JRE's security policy library folder
cd /opt/IBM/WebSphere/AppServer/java_1.7_64/jre/lib/security
(c) Backup the existing policy files
mv local_policy.jar local_policy.RAJ
mv US_export_policy.jar US_export_policy.RAJ
(d) Unpack the unrestricted policy files: -
unzip /tmp/unrestrictedpolicyfiles.zip
( This all done as wasadmin who "owns" the WAS binaries and configuration )
I then re-tested my class: -
java -cp . CipherTest
which now returns: -
2147483647
PASSED: Max AES key length OK! - >= 256 (2147483647).
Now I need to replicate this on my AIX environment, and also trace the connectivity between WAS and DB2 to see which particular cipher suite is being chosen.
Which is nice :-)