Export restriction: SunJSSE only on Tomcat startup

[gavgit]

I am using tomcat4.1.3 with j2sdk1.4.1_01. I am implementing IBM security for database and Sun Security for SSL. Database connection works fine if I use IBM jar files without configuiring my application for SSL. But if I configure SSL and leave those IBM jar files (which I need otherwise I get encryption/decryption error on database connection)I get the following error on tomcat startup:

Export restriction: SunJSSE only

However, if I don't include the IBM jar files mentioned below, tomcat starts up fine and ssl works.

Following are the configuration for ssl and database security..
C:\j2sdk1.4.1_01\jre\lib\ext folder contains
dnsns.jar, ibmjcefw.jar, ibmjceprovider.jar, ibmjsse.jar, ibmpkcs.jar, jcert.jar, jnet.jar, jsse.jar, ldapsec.jar, local_policy.jar, localedat.jar, sunjce_provider.jar, US_export_policy.jar

Following are the list of providers in C:\j2sdk1.4.1_01\jre\lib\security folder:
security.provider.1=sun.security.provider.Sun
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.jsse.JSSEProvider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=com.sun.net.ssl.internal.ssl.Provider
security.provider.6=com.sun.rsajca.Provider
security.provider.7=sun.security.jgss.SunProvider

Following is the entry in server.xml (for ssl):
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="80" minProcessors="5" maxProcessors="75"
enableLookups="true" redirectPort="443"
acceptCount="100" debug="0" connectionTimeout="20000"
useURIValidationHack="false" disableUploadTimeout="true" />

<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="100" debug="0" scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true">
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" protocol="TLS"
keystoreFile="c:\j2sdk1.4.1_01\keystore\.keystore"
keystorePass="mypassword" />
</Connector>

Any insight on this is heartly appreciated......

 

[ohernan]

Hi gavgit,

I saw your question while researching a similar problem we're having. Unfortunately for us, it doesn't help, but from my research, I think I can answer your question, if you still need help. Otherwise, this will serve others who may run into the same problem you're having.
Since you only need IBM's encryption libraries for your database access and not SSL, I think all you need to do is simply change the order of your provider list in your java.security file. The providers should be listed as:

security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
security.provider.3=com.sun.rsajca.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.jgss.SunProvider
security.provider.6=com.ibm.crypto.provider.IBMJCE
security.provider.7=com.ibm.jsse.JSSEProvider

Read the documentation on JSSE from Sun's site, and it explains how the ordering of the providers is relevant. If the above configuration doesn't work, you may want to try bumping up the IBMJCE before the SunJCE. Since all you need is IBM's cryptography, you don't need to list their SSL provider (com.ibm.jsse.JSSEProvider) before Sun's. You may also be able to just completely remove that provider.

-Oliver