The Bouncy Castle provider that comes with Access Manager can be used to handle greater key sizes. When enabling 4096k keys, ensure that you configure each component that uses the certificate. This key size is not available for the NetWare Access Gateway’s reverse proxies. However, if an identity provider uses 4k keys, the embedded service provider on the NetWare Access Gateway must be configured to trust the key.
The basic functionality for using cryptographic techniques in Java is provided by the Java Cryptography Architecture* (JCA) and Java Cryptography Extension* (JCE). This architecture is what is referred to as provider-based (pluggable) architecture. In this case, it means that the JCE and JCA provide a set of classes and interfaces that an application developer writes to, together with factories that enable the creation of the objects that conform to the interfaces and classes.
Because of various export and import restrictions in various geographies, the Java Development Kit (JDK*) download ships with a set of policy files that place certain restrictions on the key sizes that can be used. Key sizes are limited in general to 128 bits (except for the symmetric cipher Triple-DES), and RSA key generation is limited to 2,048 bits. The easiest way to deal with this restriction if it need not apply to you is to download the unrestricted policy files.
Navigate to the J2SE 1.4.2 Web site and locate Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 1.4.2. Click to access the jce_policy-1_4_2.zip file. The JCE files are the only files you need to download, because Access Manager comes with the Bouncy Castle JAR files.
You must install the policy files in the Java runtime that you are using; you need root access or the assistance of a root user to do so.
Both Linux and NetWare Access Gateways include the Bouncy Castle provider .jar file installed in the embedded service provider. A standalone Administration Console server without an Identity Server can use the Bouncy Castle provider .jar file from an identity provider or embedded service provider.
Typically these files are installed (copied) in the JAVA_HOME/jre/lib/security directory, where JAVA_HOME is the home directory path of JVM used by Access Manager components. For example, /opt/novell/java.
IMPORTANT:Back up your Access Manager configuration, and copy the .zip file to a secure location on another machine (see Backup and Restore), and stop all Access Manager components.
Back up the following JCE (.jre jurisdiction policy) files:
/usr/lib/java/jre/lib/security
/opt/novell/java/jre/lib/security
Back up the following .jre (Bouncy Castle) files:
/usr/lib/java/jre/lib/ext
/opt/novell/java/jre/lib/ext
Copy the Bouncy Castle provider .jar file from
/var/opt/novell/tomcat4/webapps/nidp/WEB-INF/lib/bcprov-jdk14-128.jar
to
/opt/novell/j2sdk1.4.2_12/jre/lib/ext/bcprov-jdk14-128.jar.
Copy the JCE jurisdiction policy JAR files to /opt/novell/j2sdk1.4.2_12/jre/lib/security/.
Back up the following JCE (.jre jurisdiction policy) file:
/opt/novell/java/jre/lib/security
Back up the following .jre (Bouncy Castle) files:
/opt/novell/java/jre/lib/ext
Copy the Bouncy Castle provider .jar file from
/var/opt/novell/tomcat4/webapps/nesp/WEB-INF/lib/bcprov-jdk14-128.jar
to
/opt/novell/java/jre/lib/ext/bcprov-jdk14-128.jar.
Copy the JCE jurisdiction policy JAR files to /opt/novell/java/jre/lib/security/.
Copy the Bouncy Castle provider .jar file from
sys:\tomcat\4\webapps\nesp\web-inf\lib\bcprov-jdk14-128.jar
to
sys:\java\lib\ext\bcprov-jdk14-128.jar.
Copy the JCE jurisdiction policy JAR files to sys:\java\lib\security\.
Enable the provider by adding it to the java.security file in the JAVA_HOME/jre/lib/security directory.
This file contains a section that lists JCA/JCE providers with their precedence (among other things). Add the Bouncy Castle provider second in the list, as follows:
security.provider.1=sun.security.provider.Sun
security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.3=com.sun.net.ssl.internal.ssl.Provider
security.provider.4=com.sun.rsajca.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
The list might be different, depending on which version of Java you have installed. Ensure that the Bouncy Castle provider is in the second position as shown in the list above. This alters the cryptographic behavior of any process using this JVM. Do not put the Bouncy Castle provider at the top of the list, because some Java system software packages rely on the Sun providers being the first ones in the list, and processing can stop working if they aren’t positioned correctly.
Restart all Access Manager components.
If your Identity Server is on the same machine as the Administration Console, you can verify 4k key support by creating a temporary certificate minted with the local CA that is 4k.
Log in to Access Manager.
Click
> .Click
to create a certificate, and leave the option enabled.Specify a valid name for the test certificate, such as test_4k.
Change the
to 4096.Click
.The system prompts you for a subject name, such as 4ktest.sso.novell.com.
You only need to specify a common name, and can leave other fields blank.
Click
twice.You can see the certificate in the list, if you click on it, the details are displayed. The key size should be 4096.
To verify 4k key support on an Access Gateway:
Export a public key certificate that has a 4k key size (such as the test certificate created to verify the Administration Console’s 4k key support described above.)
Import the public key certificate into the
tab.Add the public key certificate into the embedded service provider or identity provider trust store.
Use keytool to view the actual trust store on the embedded service provider or identity provider to determine if the 4k public key certificate was added to the keystore.
The embedded service provider keytool command for the Linux Access Gateway is:
/opt/novell/java/jre/bin/keytool -v -list -keystore /chroot/lag/opt/novell/devman/jcc/certs/esp/truststore.keystore
The identity provider keytool command is:
/opt/novell/j2sdk1.4.2_12/bin/keytool -v -list -keystore /opt/novell/devman/jcc/certs/idp/truststore.keystore