SAP Knowledge Base Article

2881916 - Unable to encrypt SSL message: java.security.InvalidKeyException: Illegal key size

Component: BC-JAS-SEC-CPG (Cryptography), Version: 2, Released On: 14.04.2020

Symptom
When executing some application call that uses IAIK SSL for https you receive sample error:

Exception caught by adapter framework: java.io.IOException: Failed to get the input stream from socket: java.io.IOException: Fatal SSL handshake error: java.lang.RuntimeException: Unable to create
cipher AES/CBC/NoPadding: java.security.InvalidKeyException: Illegal key size#
com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.io.IOException: Failed to get the input stream from socket: java.io.IOException: Fatal SSL handshake error:
java.lang.RuntimeException: Unable to create cipher AES/CBC/NoPadding: java.security.InvalidKeyException: Illegal key size
#BC-JAS-
COR#kernel.sda#C0000A8E2408001700000005000056E6#95152750000009686##com.sap.engine.core.service630.container.ContainerObjectRegistry#209f8b0e37ac11eab70d000005abea6e0#Service
Stopper [com.adobe~DocumentServicesBinariesSSL2]#Plain##
Service interface for service com.adobe~DocumentServicesBinariesSSL2 is not registered in registry and cannot be removed.#
Failed to get the input stream from socket: iaik.security.ssl.SSLException: Unable to encrypt SSL message: java.security.InvalidKeyException: Illegal key size
iaik.security.ssl.SSLException: Unable to encrypt SSL message: java.security.InvalidKeyException: Illegal key size
at iaik.security.ssl.SSLTransport.startHandshake(SourceFile:571)
at iaik.security.ssl.SSLTransport.getInputStream(SourceFile:658)
at iaik.security.ssl.SSLSocket.getInputStream(SourceFile:395)
java.io.IOException: Failed to get the input stream from socket: iaik.security.ssl.SSLException: Unable to encrypt SSL message: java.security.InvalidKeyException: Illegal key size

the above example comes from Adobe Document Services application but can some in any application using https. There might be a different cipher suite in the error. Possibly the following notes have
been implemented for TLS1.2, ECDHE cipher suite support, SHA384withRSA and SHA512withRSA. Additionally SSLContext.properites file might be configured to handle custom cipher suites that the
vendor system allows:

2284059 - Update of SSL library within NW Java server

2540433 - Update of SSL library within NW Java server

2708581 - ECC Support for Outbound Connections in SAP NW AS Java

Environment
SAP NetWeaver Composition Environment 7.1
SAP enhancement package 1 for SAP NetWeaver Composition Environment 7.1
SAP NetWeaver Composition Environment 7.2
SAP NetWeaver 7.3
SAP enhancement package 1 for SAP NetWeaver 7.3
SAP NetWeaver 7.4
SAP NetWeaver 7.5

Reproducing the Issue

Make a https call from an application running on NetWeaver Java to some other system

Cause
The JCE policy files on the server are limited and not allowing the particular cipher/key size.

Resolution
In SAP JVM shipments with higher versions than 6.1.105, 7.1.053, 8.1.034 and all SAP JVM >= 9, you can simply uncomment the parameter #crypto.policy = unlimited in the java.security file found
at  <JDK dir>/jre/lib/security/java.security. For older jvm versions, you need to download and install the unlimited JCE policy files. A restart of the java instances are required afterwards.

See Also
1240081 - Java Cryptography Extension (JCE) Jurisdiction Policy Files

Keywords
mandatory, ciphersuite, ciphersuites, custom

Products

Products

SAP NetWeaver 7.3

SAP NetWeaver 7.4

SAP NetWeaver 7.5

SAP NetWeaver Application Server for Java 7.1

SAP NetWeaver Application Server for Java 7.2

SAP enhancement package 1 for SAP NetWeaver 7.3

SAP enhancement package 1 for SAP NetWeaver Application Server for Java 7.1

This document refers to

SAP Note/KBA Title

2708581 ECC Support for Outbound Connections in SAP NW AS Java

2540433

2284059 Update of SSL library within NW Java server

1240081 Java Cryptography Extension (JCE) Jurisdiction Policy Files

This document is referenced by

SAP Note/KBA Title