Technical Blog Post
Abstract
50 DB2 Nuggets #15 : Tech Tip - Implementing encryption from DB2 JDBC program running with ORACLE Java
Body
Hi All!
I had opportunity to implement AES encryption from a Java program using a DB2 JDBC driver with ORACLE Java. Here are all the steps I took:
1> On client machine, installed ORACLE Java 7:
http://www.oracle.com/technetwork/java/javase/archive-139210.html
C:\Program Files\Java\jdk1.7.0_45\jre\bin>java -version
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) Client VM (build 24.45-b08, mixed mode, sharing)
2> On server, I changed the configuration as below to support AES encryption:
[db2v97@ts-carose ~]$ db2 get dbm cfg | grep auth
GSS Plugin for Local Authorization (LOCAL_GSSPLUGIN) =
Server Connection Authentication (SRVCON_AUTH) = NOT_SPECIFIED
Database manager authentication (AUTHENTICATION) = SERVER_ENCRYPT
Alternate authentication (ALTERNATE_AUTH_ENC) = AES_ONLY
Cataloging allowed without authority (CATALOG_NOAUTH) = NO
Trusted client authentication (TRUST_CLNTAUTH) = CLIENT
Bypass federated authentication (FED_NOAUTH) = NO
More information about DB2 Server's authentication types can be found here
3> On client I created a sample connection program ConnectSample.java with code as below:
Class.forName("com.ibm.db2.jcc.DB2Driver").newInstance();
String url = "jdbc:db2:/hostName:portNumber/DBName:securityMechanism=9;encryptionAlgorithm=2;";
Connection con = DriverManager.getConnection(url,"userName","password");
System.out.println("Connected to Server") ;
con.close();
More information on securityMechanism and ecncryptionAlgortithm properties can be found here
4> I compiled and ran ConnectSample.java and got same error as yours i.e 4221 InvalidKeyException.
C:\Program Files\Java\jdk1.7.0_45\jre\bin>java ConnectSample
Exception: com.ibm.db2.jcc.am.SqlException: [jcc][1068][10625][4.15.82] Caught j
ava.security.InvalidKeyException while encrypting data. See attached Throwable
for details. ERRORCODE=-4221, SQLSTATE=null
com.ibm.db2.jcc.am.SqlException: [jcc][1068][10625][4.15.82] Caught java.securit
y.InvalidKeyException while encrypting data. See attached Throwable for details
. ERRORCODE=-4221, SQLSTATE=null
at com.ibm.db2.jcc.am.fd.a(fd.java:680)
at com.ibm.db2.jcc.am.fd.a(fd.java:60)
at com.ibm.db2.jcc.am.fd.a(fd.java:85)
at com.ibm.db2.jcc.am.rc.a(rc.java:557)
at com.ibm.db2.jcc.am.rc.a(rc.java:497)
at com.ibm.db2.jcc.t4.b.h(b.java:2837)
at com.ibm.db2.jcc.t4.b.a(b.java:6491)
at com.ibm.db2.jcc.t4.b.b(b.java:844)
at com.ibm.db2.jcc.t4.b.a(b.java:761)
at com.ibm.db2.jcc.t4.b.a(b.java:424)
at com.ibm.db2.jcc.t4.b.a(b.java:399)
at com.ibm.db2.jcc.t4.b.<init>(b.java:337)
at com.ibm.db2.jcc.DB2SimpleDataSource.getConnection(DB2SimpleDataSource
.java:232)
at com.ibm.db2.jcc.DB2SimpleDataSource.getConnection(DB2SimpleDataSource
.java:198)
at com.ibm.db2.jcc.DB2Driver.connect(DB2Driver.java:475)
at com.ibm.db2.jcc.DB2Driver.connect(DB2Driver.java:116)
at java.sql.DriverManager.getConnection(DriverManager.java:571)
at java.sql.DriverManager.getConnection(DriverManager.java:215)
at ConnectSample.main(ConnectSample.java:10)
Caused by: java.security.InvalidKeyException: Illegal key size
at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1024)
at javax.crypto.Cipher.implInit(Cipher.java:790)
at javax.crypto.Cipher.chooseProvider(Cipher.java:849)
at javax.crypto.Cipher.init(Cipher.java:1348)
at javax.crypto.Cipher.init(Cipher.java:1282)
at com.ibm.db2.jcc.am.rc.a(rc.java:552)
... 15 more
This is because, For AES encryption, you need an unrestricted policy file for JCE. For the IBM SDK for Java, the file is available at the following location:
https://www.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk
5> I downloaded JCE Unlimited Strength Jurisdiction Policy File for ORACLE Java from Internet. This is the link for Java 6 JCE files:
http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
Once Unlimited JCE files downloaded, unzip it, it will have 3 files:
README.txt
local_policy.jar
US_export_policy.jar
6> I renamed existing local_policy.jar and US_export_policy.jar in jre\lib\security to something else, then copied new local_policy.jar and US_export_policy from Unlimited JCE files to jre\lib\security
And then ran my ConnectSample.java again:
C:\Program Files\Java\jdk1.7.0_45\jre\bin>java ConnectSample
Connected to Server
Yuppie! I am sending encrypted user id and password over the wire!
Thank you for reading!
UID
ibm11141558