How To
Summary
By default the IBM SDK provides strong but limited jurisdiction policy files. That can become a problem for ITNCM when the devices it is working with are configured with stronger algorithms. This document details how to install the Unlimited Strength policy files.
Steps
The official documentation is available IBM SDK, Java Technology Edition 7.0.0 / Security Guide / IBM SDK Policy files however the SDK ITNCM uses is from WebSphere and doesn't contain the demo/jce/policy-files/unrestricted subdirectory mentioned.
First check to see if you need to install the Unlimitied Strength policy files.
netcool$ cd /opt/IBM/tivoli/netcool/ncm/jre/bin
netcool$ ./jrunscript -e 'k="AES/CBC/PKCS5Padding";java.lang.System.out.println("maxAllowedKeyLength("+k+")="+javax.crypto.Cipher.getMaxAllowedKeyLength(k)+"\n");'
maxAllowedKeyLength:AES/CBC/PKCS5Padding=128
If the maxAllowedKeyLength is 128 as shown above, begin the process of downloading the Unlimitied Strength policy files. As of writing the link is https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk. Once logged in you should select Java 5.0 SR16, Java 6 SR13, Java 6 SR5 (J9 VM2.6), Java 7 SR4, Java 8 GA, and all later releases as shown below:
You should now have a download called unrestrictedpolicyfiles.zip which you should upload to all ITNCM servers that process UOWs, placing the ZIP in the home directory of the user that installed ITNCM.
To install the policy files, use the commands below:
netcool$ cd /opt/IBM/tivoli/netcool/ncm/jre/jre/lib/security
netcool$ cp local_policy.jar local_policy.jar.limited
netcool$ cp US_export_policy.jar US_export_policy.jar.limited
netcool$ unzip ~/unrestrictedpolicyfiles.zip
Archive: /home/netcool/unrestrictedpolicyfiles.zip
replace US_export_policy.jar? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
inflating: US_export_policy.jar
replace local_policy.jar? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
inflating: local_policy.jar
netcool$ cp local_policy.jar local_policy.jar.limited
netcool$ cp US_export_policy.jar US_export_policy.jar.limited
netcool$ unzip ~/unrestrictedpolicyfiles.zip
Archive: /home/netcool/unrestrictedpolicyfiles.zip
replace US_export_policy.jar? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
inflating: US_export_policy.jar
replace local_policy.jar? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
inflating: local_policy.jar
You can use the command below to verify that the Unlimited Strength policy files have been correctly installed, for example:
netcool$ cd /opt/IBM/tivoli/netcool/ncm/jre/bin
netcool$ ./jrunscript -e 'k="AES/CBC/PKCS5Padding";java.lang.System.out.println("maxAllowedKeyLength("+k+")="+javax.crypto.Cipher.getMaxAllowedKeyLength(k)+"\n");'
maxKeyLength:AES/CBC/PKCS5Padding=2147483647
If the return is 2147483647 the Unlimited Strength policy files have been installed correctly.
With the Unlimited Strength policy files installed, you should now restart ITNCM so that it will be made available for UOWs, IDT, and AutoDiscovery autodiscover.sh.
Document Location
Worldwide
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS7UH9","label":"Tivoli Netcool Configuration Manager"},"ARM Category":[],"Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
13 April 2020
UID
ibm16173229