Connection to UCMDB DB schema on Oracle RAC fails with stacktrace in error.log

  • Document ID:KM02890487
  • Creation Date:24-Jul-2017
  • Modified Date:24-Jul-2017
    • Micro Focus Products:
      universal cmdb

Summary

When the customer attempts to connect to an existing Oracle RAC schema using the configuration wizzard, he configures it correctly as per the guide, however receive the following stacktraces in error.log indicating that he must deploy the JCE jurisdiction policy files.

Question

Stacktraces indicating the problem in error.log

[main] ERROR Error getting connection from pool, due to exception: com.mercury.topaz.cmdb.shared.base.CmdbException: [ErrorCode [-2147483648] undefined error code]
java.sql.SQLException: [mercury][Oracle JDBC Driver]Failure due to insufficient maximum key length according to the installed JCE jurisdiction policy files. Please install "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files

[main] ERROR Failed to execute command [com.mercury.topaz.cmdb.server.manage.dal.dao.DaoFactory$TransactionProxy$ProxyDalAbstractCommand@365f6757] time [865 ms] customer ID [null] operation stack [N/A]
com.mercury.topaz.cmdb.server.manage.dal.CmdbDalException: [ErrorCode [2] Couldn't connect to database]
Error getting connection from pool, due to exception: com.mercury.topaz.cmdb.shared.base.CmdbException: [ErrorCode [-2147483648] undefined error code]
java.sql.SQLException: [mercury][Oracle JDBC Driver]Failure due to insufficient maximum key length according to the installed JCE jurisdiction policy files. Please install "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files
    

Answer

Configure JDK to Use the Unlimited Strength Java Cryptography Jars supports control over the encryption suites used by its SSL (TLS) sockets. This can be specified by the server configuration parameter SSL_ENCRYPTION_SUITES. The value for this parameter should contain a comma-separated list of the encryption suites to be made available to PPM Centre. These should be specified using the standard SSL/TLS cipher suite names. For example, to specify that should only establish connections using the TLS_DHE_RSA_WITH_AES_256_CBC_SHA cipher suite:
com.kintana.core.server.SSL_ENCRYPTION_SUITES=TLS_DHE_RSA_WITH_AES_256_CBC_SHA
If using AES256 or similarly strong encryption, the JDK used by both and the client must be configured to use the unlimited strength Java cryptography jars, if this is permissible in your jurisdiction and under US export laws. The SSL_ENCRYPTION_SUITES parameter only impacts the encryption algorithm used for Java™ Remote Method Invocation (RMI) traffic. There is no impact on HTTPS (SSL) encryption, nor on how the passwords and sensitive data are encrypted in. To configure your JDK to use the unlimited strength Java cryptography jars,
1. Go to http://www.oracle.com/technetwork/java/javase/downloads/index.html.
2. Scroll down to the end of the page and download the unlimited strength Java cryptography jars that match your JDK version.
For JDK 1.7.0, download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 (UnlimitedJCEPolicyJDK7.zip).
3. Extract the downloaded zip package.
4. Copy the local_policy.jar and US_export_policy.jar files to the <JDK_HOME>/jre/lib/security directory on both your server side and client side to replace the existing files.
If you enabled secure RMI and are using a high strength encryption suite, such as AES256, make sure to follow the steps above to install the unlimited jars on machines which will run workbench.