Search code examples
javaweblogicbusiness-objectsfips

How to make Weblogic 11gR2 (10.3.3) FIPS-140 compliant

our Ear application is hosted on a Weblogic 10.3.3 server.

This app is interacting with a BO 4.1 and we have this error now trying to connect to it :

    com.tranme.guide.commonservices.report.InteractionBOException: com.crystaldecisions.sdk.exception.SDKException$ConfidentialChannelFailed: Impossible d'굡blir un canal confidentiel. (FWM 02119)
cause:com.businessobjects.bcm.exception.FIPSError: Cryptographic library is not FIPS-140-compliant.
detail:Impossible d'굡blir un canal confidentiel. (FWM 02119) Cryptographic library is not FIPS-140-compliant.
  at com.tranme.guide.commonservices.report.CrystalReportHelper.getReportInfoObjectsByReportName(CrystalReportHelper.java:515)
  at com.tranme.guide.notificationmgt.manager.reports.util.ReportManagementTools.getReportInstanceStatuses(ReportManagementTools.java:81)
  at com.tranme.guide.notificationmgt.manager.reports.util.ReportManagementTools.getGenerationStatusResults(ReportManagementTools.java:51)
  at com.tranme.guide.notificationmgt.manager.BaseNotificationManager.updateReportGenerationStatus(BaseNotificationManager.java:217)
  at com.tranme.guide.notificationmgt.business.ejb.impl.NotificationManagementFacadeBeanImpl.updateReportGenerationStatus(NotificationManagementFacadeBeanImpl.java:123)
  at com.tranme.guide.notificationmgt.business.ejb.impl.NotificationManagementFacadeBeanImpl_z3lp9c_EOImpl.updateReportGenerationStatus(NotificationManagementFacadeBeanImpl_z3lp9c_EOImpl.java:140)
  at com.tranme.guide.notificationmgt.business.ejb.impl.NotificationManagementFacadeBeanImpl_z3lp9c_EOImpl_WLSkel.invoke(Unknown Source)
  at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:589)
  at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:230)
  at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:477)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:147)
  at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:473)
  at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Caused by: com.crystaldecisions.sdk.exception.SDKException$ConfidentialChannelFailed: Impossible d'굡blir un canal confidentiel. (FWM 02119)
cause:com.businessobjects.bcm.exception.FIPSError: Cryptographic library is not FIPS-140-compliant.
detail:Impossible d'굡blir un canal confidentiel. (FWM 02119) Cryptographic library is not FIPS-140-compliant.
  at com.crystaldecisions.sdk.occa.security.internal.ConfidentialChannelService.establishConfidentialChannel(ConfidentialChannelService.java:199)
  at com.crystaldecisions.sdk.occa.security.internal.ConfidentialChannelService.createConfidentialChannel(ConfidentialChannelService.java:145)
  at com.crystaldecisions.sdk.occa.security.internal.CCMap.locateCCItem(CCMap.java:63)
  at com.crystaldecisions.sdk.occa.security.internal.LogonService.doUserLogon(LogonService.java:845)
  at com.crystaldecisions.sdk.occa.security.internal.LogonService.doUserLogon(LogonService.java:805)
  at com.crystaldecisions.sdk.occa.security.internal.LogonService.userLogon(LogonService.java:210)
  at com.crystaldecisions.sdk.occa.security.internal.SecurityMgr.userLogon(SecurityMgr.java:166)
  at com.crystaldecisions.sdk.framework.internal.SessionMgr.logon_aroundBody0(SessionMgr.java:454)
  at com.crystaldecisions.sdk.framework.internal.SessionMgr.logon_aroundBody1$advice(SessionMgr.java:512)
  at com.crystaldecisions.sdk.framework.internal.SessionMgr.logon(SessionMgr.java:1)
  at com.tranme.guide.commonservices.report.CrystalReportHelper.getSession(CrystalReportHelper.java:156)
  at com.tranme.guide.commonservices.report.CrystalReportHelper.getReportInfoObjectsByReportName(CrystalReportHelper.java:502)
  ... 15 more
Caused by: com.businessobjects.bcm.exception.FIPSError: Cryptographic library is not FIPS-140-compliant.
  at com.businessobjects.bcm.internal.BcmRsaLib.CheckStartupErrors(BcmRsaLib.java:28)
  at com.businessobjects.bcm.internal.DHKeyAgreeImpl.<init>(DHKeyAgreeImpl.java:22)
  at com.businessobjects.bcm.BCM.createKeyAgreement(BCM.java:1080)
  at com.crystaldecisions.sdk.occa.security.internal.ConfidentialChannelService.establishConfidentialChannel(ConfidentialChannelService.java:175)
  ... 26 more

The BO SDK lib are in weblogic classpath (this is how the dev before me decided to implement them).

I've already tried solution proposed by SAP's forum without any luck.

Solution

  • WLS 11G needs these things to be configured for FIPS-compliant SSL connections:

    • cryptojFIPS.jar is added to the PRE_CLASSPATH variable (this does something similar to what the SAP forum suggested)
    • The command line argument -Dweblogic.security.SSL.nojce=true is specified.
    • The JVM has unlimited-strength JCE (more details here for WLS12C but the steps are similar). This might already be set up.