JDK-8160553 : nodemgr start up issue: jurisdiction policy files are not signed
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto
  • Affected Version: 7u101
  • Priority: P3
  • Status: Closed
  • Resolution: Not an Issue
  • Submitted: 2016-06-29
  • Updated: 2016-07-01
  • Resolved: 2016-06-30
Related Reports
Relates :  
Description
Nodemanager failing to start up due to following error.

trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
<Jun 29, 2016 9:53:43 AM> <SEVERE> <Fatal error in node manager server>
java.lang.ExceptionInInitializerError
        at javax.crypto.KeyAgreement.getInstance(KeyAgreement.java:178)
        at sun.security.ssl.JsseJce.getKeyAgreement(JsseJce.java:285)
        at sun.security.ssl.JsseJce.isEcAvailable(JsseJce.java:198)
        at sun.security.ssl.CipherSuite$KeyExchange.isAvailable(CipherSuite.java:376)
        at sun.security.ssl.CipherSuite.isAvailable(CipherSuite.java:194)
        at sun.security.ssl.SSLContextImpl.getApplicableCipherSuiteList(SSLContextImpl.java:339)
        at sun.security.ssl.SSLContextImpl.getDefaultCipherSuiteList(SSLContextImpl.java:290)
        at sun.security.ssl.SSLEngineImpl.init(SSLEngineImpl.java:388)
        at sun.security.ssl.SSLEngineImpl.<init>(SSLEngineImpl.java:340)
        at sun.security.ssl.SSLContextImpl.engineCreateSSLEngine(SSLContextImpl.java:197)
        at javax.net.ssl.SSLContext.createSSLEngine(SSLContext.java:330)
        at weblogic.security.SSL.jsseadapter.JaSSLParameters.<init>(JaSSLParameters.java:49)
        at weblogic.security.SSL.jsseadapter.JaSSLServerSocket.<init>(JaSSLServerSocket.java:203)
        at weblogic.security.SSL.jsseadapter.JaSSLServerSocketFactory.createServerSocket(JaSSLServerSocketFactory.java:90)
        at weblogic.security.SSL.jsseadapter.JaSSLServerSocketFactory.createServerSocket(JaSSLServerSocketFactory.java:77)
        at weblogic.nodemanager.server.SSLListener.init(SSLListener.java:83)
        at weblogic.nodemanager.server.NMServer.start(NMServer.java:245)
        at weblogic.nodemanager.server.NMServer.main(NMServer.java:423)
        at weblogic.NodeManager.main(NodeManager.java:31)
Caused by: java.lang.SecurityException: Can not initialize cryptographic mechanism
        at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:86)
        ... 19 more
Caused by: java.lang.SecurityException: The jurisdiction policy files are not signed by a trusted signer!
        at javax.crypto.JarVerifier.verifyPolicySigned(JarVerifier.java:289)
        at javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:318)
        at javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:263)
        at javax.crypto.JceSecurity.access$000(JceSecurity.java:48)
        at javax.crypto.JceSecurity$1.run(JceSecurity.java:78)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:76)
        ... 19 more
Comments
User had indeed installed JDK 6 unlimited JCE files instead of JDK 7 ones. JDK 7 JCE files are available at : http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html jar tvf output was indicating that jar contents were created in 2006 : jar tvf US_export_policy.jar : 176 Thu Nov 16 18:10:02 UTC 2006 META-INF/MANIFEST.MF 269 Thu Nov 16 18:10:04 UTC 2006 META-INF/JCE_RSA.SF 2015 Thu Nov 16 18:10:04 UTC 2006 META-INF/JCE_RSA.RSA 0 Thu Nov 16 18:10:00 UTC 2006 META-INF/ 141 Thu Nov 16 18:09:58 UTC 2006 default_US_export.policy That suggests that JDK 6 files were (incorrectly) installed in a JDK 7 install. JDK 7 JCE files have a 2011 date signature (currently) jar tvf US_export_policy.jar 176 Tue May 31 14:33:08 IST 2011 META-INF/MANIFEST.MF 266 Tue May 31 14:33:08 IST 2011 META-INF/ORACLE_J.SF 2019 Tue May 31 14:33:08 IST 2011 META-INF/ORACLE_J.RSA 0 Tue May 31 14:10:28 IST 2011 META-INF/ 141 Tue May 31 13:27:12 IST 2011 default_US_export.policy Closing.
30-06-2016

Should also make sure the Unlimited JCE files are for the right family. e.g. 7 for 7, 6 for 6. My guess is that they've stuck a 6 unlimited file into a 7. Should also get the jar's certs: jarsigner -verify -verbose -certs US_export_policy.jar jarsigner -verify -verbose -certs local_policy.jar
29-06-2016

Awaiting more configuration information from submitter. Unlimited JCE jurisdiction files may have been installed for strong crypto but there appears to be a problem with those files. I've asked for jar output from following commands : jar tvf <JDK_HOME>/jre/lib/security/US_export_policy.jar jar tvf <JDK_HOME>/jre/lib/security/local_policy.jar
29-06-2016