Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Illegal key size error when using a key encrypted with AES256 for SAML federation in AM 5.x and 6.x

Last updated Apr 13, 2021

The purpose of this article is to provide assistance if you receive an "Illegal key size" error when using a key with 256-bit AES encryption for SAML federation in AM. This error can occur regardless of whether AM is acting as the IdP or the SP.


2 readers recommend this article

Symptoms

One of the following errors is shown in the Federation debug log depending on whether AM is acting as the IdP or SP:

  • Acting as the IdP and sending the response to the SP: ERROR: FMEncProvider.encrypt: Failed to do the final data encryption. com.sun.org.apache.xml.internal.security.encryption.XMLEncryptionException: Illegal key size or default parameters Original Exception was java.security.InvalidKeyException: Illegal key size or default parameters at com.sun.org.apache.xml.internal.security.encryption.XMLCipher.encryptData(XMLCipher.java:1074) at com.sun.org.apache.xml.internal.security.encryption.XMLCipher.encryptData(XMLCipher.java:1012) at com.sun.org.apache.xml.internal.security.encryption.XMLCipher.encryptElement(XMLCipher.java:761) at com.sun.org.apache.xml.internal.security.encryption.XMLCipher.doFinal(XMLCipher.java:872)
  • Acting as the SP and receiving the response from the IdP: org.apache.xml.security.algorithms.JCEMapper:09/10/2016 11:24:52:559 AM UTC: Thread[http-nio-10600-exec-8,5,main]: TransactionId[0f6493db-02a6-45d8-8aa9-7c0571c85d77-267] Request for URI http://www.w3.org/2001/04/xmlenc#aes256-cbc org.apache.xml.security.encryption.XMLCipher:09/10/2016 11:24:52:559 AM UTC: Thread[http-nio-10600-exec-8,5,main]: TransactionId[0f6493db-02a6-45d8-8aa9-7c0571c85d77-267] JCE Algorithm = AES/CBC/ISO10126Padding libSAML2:09/10/2016 11:24:52:559 AM UTC: Thread[http-nio-10600-exec-8,5,main]: TransactionId[0f6493db-02a6-45d8-8aa9-7c0571c85d77-267] ERROR: FMEncProvider.decrypt: Failed to decrypt data. org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size Original Exception was java.security.InvalidKeyException: Illegal key size at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1762) at org.apache.xml.security.encryption.XMLCipher.decryptElement(XMLCipher.java:1618) at org.apache.xml.security.encryption.XMLCipher.doFinal(XMLCipher.java:932) at com.sun.identity.saml2.xmlenc.FMEncProvider.decrypt(FMEncProvider.java:621)

Recent Changes

The IdP and/or SP (whether remote or hosted) generated a signing key with 256-bit AES encryption.

Causes

Java® 8 and earlier does not support keys with 256-bit AES encryption by default; only 128-bit AES encryption is supported. The following line in the debug log indicates that a key with 256-bit AES encryption is being used:

Request for URI http://www.w3.org/2001/04/xmlenc#aes256-cbc

Solution

This issue can be resolved by installing the Oracle® Java JCE unlimited strength jars. These jars can be downloaded from the following link for Java 8 and earlier: Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files Download. Java 9 and later uses the unlimited policy files by default.

You should then install these jar files in the $JAVA_HOME/jre/lib/security/ directory and restart the web application container in which AM runs.

See Also

Signature algorithm is not supported error when verifying a signed SAML assertion in AM 5.x or 6.x

FAQ: SAML certificate management in AM 5.x and 6.x

FAQ: SAML federation in AM

SAML Federation in AM

Related Training

N/A

Related Issue Tracker IDs

OPENAM-7607 (OpenAM should implement "Metadata Profile for Algorithm Support")


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.