IBM Connections Plug-ins for Notes & SSL Certificate with RSA key greater than 2048

Before installing a SSL certificate on an IBM HTTP Server, which is used for IBM Connections applications, keep in mind that if the RSA key size exceeds 2048 Notes users won’t be able to access the data in Connections using “IBM Connections Plug-ins for Notes” via HTTPS.

If you do so the following errors will appear in Notes Client:

Activities Error   Files Error

  • Cannot connect to the Activities Server. Either the URL is incorrect, the server is down, or a firewall may be preventing you from reaching the server. Check the URL, your firewall settings and the server status and try again.

Notes client trace log errors:

  • CWPST0306W: An exception occurred while invoking the target method login.
  • javax.security.auth.login.LoginException
  • javax.net.ssl.SSLKeyException: RSA premaster secret error
  • java.io.IOException: RSA premaster secret error
  • java.security.InvalidKeyException: Illegal key size or default parameters

The solution is to change the java policy files on a client with unrestricted java policy files. You can download the files needed from

https://www-01.ibm.com/marketing/iwm/iwm/web/reg/pick.do?source=jcesdk&lang=en_US.

You can check the version with the “java –version” command. You should do that in order to determine which version of java policy files you need.

java -version

In this case I would download and use “Files for older versions of the SDK”, from the URL mentioned above.

IBM Unrestricted SDK JCE policy files

To exchange the java policy files, just overwrite the files with the downloaded files in “<Notes installation directory>\jvm\lib\security”. After that the “IBM Connections Plug-ins for Notes” will work as supposed.

You should also know that after updating the Notes client, the java policy files will be overwritten with default files and the problem will occur again.

I tested and reproduced this issue on Notes 9.0.1 FP2, FP3 and FP4 client.

I hope this will help you to take all precautions so that your Notes users won´t experience this error.

Advertisements

5 thoughts on “IBM Connections Plug-ins for Notes & SSL Certificate with RSA key greater than 2048

  1. On the negative side, you would have to restore the original local_policy.jar and US_export_policy.jar before you can upgrade your Notes or the jvm patcher will fail.

    Liked by 1 person

  2. I struggled with this issue for a while before I figured out that the problem was caused by the SSL certificate. Pitty this post didn’t show up in Google when I was searching. Maybe it will help if you put the Notes plugin error messages in the text in addition to the images?

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s