Question & Answer
Question
I upgraded my WebSphere to 8.5.5.19 which, also upgraded my Java version to 8.0.6.25 and I am getting exception.
Example error message 1:
"(thirdparty).jar is not signed by a trusted signer"
Example error message 1:
"(thirdparty).jar is not signed by a trusted signer"
Example error message 2:
"JCE cannot authenticate the provider"
Example error message 3:
"JCE Exception: JCE is not installed properly"
More examples of error messages:
"JCE cannot authenticate the provider"
Example error message 3:
"JCE Exception: JCE is not installed properly"
More examples of error messages:
-----------
- JCE cannot authenticate the provider JsafeJCE cryptojce.jar is not signed by a trusted signer java.lang.RuntimeException: java.lang.SecurityException: JCE cannot authenticate the provider IngrianProvider
-
SystemErr R java.io.IOException: error constructing MAC: java.lang.SecurityException: JCE cannot authenticate the provider BC
-
Java.lang.SecurityException: JCE cannot authenticate the provider LunaProvider -
Java.lang.SecurityException: JCE cannot authenticate the provider IAIK -
Caused by: iaik.pkcs.PKCSException: java.security.NoSuchProviderException: JCE cannot authenticate the provider IAIK -
Java.lang.SecurityException: JCE cannot authenticate the provider Entrust - JCE cannot authenticate the provider SunJCE
-----------
How can I resolve this error in WebSphere Application Server on distributed operating systems?
AIX, Linux, Windows, Solaris.
AIX, Linux, Windows, Solaris.
The issue occurs on Java version 7.0 SR10 FP75, 7.1 SR4 FP75 and 8.0 SR6 FP25
7.0.10.75 and later
7.1.4.75 and later
8.0.6.25 and later
7.1.4.75 and later
8.0.6.25 and later
Cause
The third-party provider is signed by the Oracle's JCE Code Signing certificate, which we (IBM Java Security) trust, however it is expired and Oracle created a new certificate. IBM removed the trust for this expired certificate in recent versions. You need to load the correct/updated version of the provider, which includes the newest Oracle's JCE code signing certificate in order to have IBM trust it.
IJ26310: ADD THE NEW ORACLE SIGNER CERTIFICATE
https://www.ibm.com/support/pages/apar/IJ26310
Certificate in question:
IJ26310: ADD THE NEW ORACLE SIGNER CERTIFICATE
https://www.ibm.com/support/pages/apar/IJ26310
Certificate in question:
Owner: CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Sun Microsystems Inc, L=Palo Alto, ST=CA, C=US
Issuer: CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Sun Microsystems Inc, L=Palo Alto, ST=CA, C=US
Answer
- IBM does not support the use of third-party JCE providers. Our recommended approach is to use the IBM JCE that WebSphere is shipped with during installation.
- If using the third-party JCE implementation is essential in your specific environment, you need to contact the third-party JCE support team for resolution.
- IBM cannot assist on a third-party JCE implementation because we do not own the code, we do not know how the code works, lastly we have no access to the code.
- Typically the resolution is to get a new updated third-party .jar file from your third-party JCE support team with the newly renewed certificate in place.
- Here is our public documentation that states "IBM does not support problems with Sun's or other third-party JCE code. Only the IBM JCE providers are supported"
Support For Sun's JSSE or JCE Provider In WebSphere
https://www.ibm.com/support/pages/support-suns-jsse-or-jce-provider-websphere
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m0z0000001hBPAAY","label":"1. IBM Support Praxis-\u003EEOS or Unsupported Product Version or Configuration"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
10 January 2022
UID
ibm16508828