Using bouncycastle in Websphere liberty profile

Question

Our application uses Bouncycastle. I am now attempting to deploy my app on websphere liberty profile and getting the below error

[err] java.io.IOException: error constructing MAC: java.lang.SecurityException: JCE cannot authenticate the provider BC
[err]   at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown Source)
[err]   at java.security.KeyStore.load(KeyStore.java:1214)
[err]   at com.manh.jwt.JwtKeyManager.loadPrivateKeyByIssuer(JwtKeyManager.java:213)

So instead of having the bouncycastle jar in WEB-INF/lib dir, i created a shared lib and added this library as a privateLibraryRef to my web application. I still get the same error.

Here is my server.xml for your reference.

<server description="new server">

<!-- Enable features -->
<featureManager>
    <feature>jsp-2.2</feature>
    <feature>servlet-3.0</feature>
</featureManager>
<webContainer deferServletLoad="false" />
<httpEndpoint id="defaultHttpEndpoint"
              host="localhost"
              httpPort="20000"
              httpsPort="9443" />

<library id="configResources">
    <folder dir="${server.config.dir}/conf" />
</library>      


<library id="bc">
    <fileset dir="${server.config.dir}/bclib" includes="*.jar" />
</library>      

<webApplication name="scope" location="scope.war" contextRoot="/">
    <classloader privateLibraryRef="configResources, bc" />
</webApplication>
</server>

Is there any other setting that i can try to have this working?

possible duplicate of [bouncycastle + JBoss AS7: JCE cannot authenticate the provider BC](http://stackoverflow.com/questions/9534512/bouncycastle-jboss-as7-jce-cannot-authenticate-the-provider-bc) — Brett Kail, Jul 25 '14 at 23:58
I know nothing about Bouncy Castle, but from searching around, I would use this solution: http://stackoverflow.com/a/17400821/142446 As an alternative to modifying the JDK image, you could set -Djava.ext.dirs in jvm.options to point to some other directory. — Brett Kail, Jul 25 '14 at 23:58
Thanks @bkail for the info. It works if you modify java.security file. We we cannot do it since our deployment does not have access to java installation directory. We wanted to add the provider dynamically as documented in http://www.bouncycastle.org/wiki/display/JA1/Provider+Installation. This does not work in Websphere Liberty profile — Palanivelrajan, Jul 27 '14 at 04:42
Add the first link that you provided is for JBoss. This is for Websphere liberty profile — Palanivelrajan, Jul 27 '14 at 04:43
The first link is for "if you change from *JBoss* to [an]other [server]", such as Liberty. If modifying the java installation directory is not an option, then I suggest using -Djava.ext.dirs in jvm.options to point to a different directory. — Brett Kail, Aug 01 '14 at 13:47

score 0 · Answer 1 · answered Sep 01 '15 at 12:06

Here is the magic to get Bouncy Castle cryptography to work with WAS Liberty, which should work for the stacked products as well.

Create a "jvm.options" file in the servers working directory. In a default installation, this would be wlp/usr/servers/
Add the following to the "jvm.options" file.
a. -Djava.ext.dirs= //I tested this with /opt/fun/libs and wlp/usr/servers/defaultServer and wlp/usr/servers/defaultServer/libs. All three worked. If I included a path to a WEB-INF/lib directory it failed. b. -Dorg.osgi.framework.bootdelegation=org.bouncycastle.jce.provider
Copy the bouncy castle jar from the WEB-INF/lib directory to the java.ext.dirs defined directory (above).
Stop and start the server, since you are changing JVM arguments.
Test the application or stacked product.

and of course, you steal the glory from me.. :-P I will add that this configuration is not supported by the IBM JDK (yet -- please open an RFE if you think this is important), and so using the Oracle JDK would be better. — ebullient, Sep 01 '15 at 14:52

Using bouncycastle in Websphere liberty profile

1 Answers1