Illegal key size error when using a key encrypted with AES256 for SAML federation in AM 5.x and 6.x
The purpose of this article is to provide assistance if you receive an "Illegal key size" error when using a key with 256-bit AES encryption for SAML federation in AM. This error can occur regardless of whether AM is acting as the IdP or the SP.
2 readers recommend this article
Symptoms
One of the following errors is shown in the Federation debug log depending on whether AM is acting as the IdP or SP:
- Acting as the IdP and sending the response to the SP: ERROR: FMEncProvider.encrypt: Failed to do the final data encryption. com.sun.org.apache.xml.internal.security.encryption.XMLEncryptionException: Illegal key size or default parameters Original Exception was java.security.InvalidKeyException: Illegal key size or default parameters at com.sun.org.apache.xml.internal.security.encryption.XMLCipher.encryptData(XMLCipher.java:1074) at com.sun.org.apache.xml.internal.security.encryption.XMLCipher.encryptData(XMLCipher.java:1012) at com.sun.org.apache.xml.internal.security.encryption.XMLCipher.encryptElement(XMLCipher.java:761) at com.sun.org.apache.xml.internal.security.encryption.XMLCipher.doFinal(XMLCipher.java:872)
- Acting as the SP and receiving the response from the IdP: org.apache.xml.security.algorithms.JCEMapper:09/10/2016 11:24:52:559 AM UTC: Thread[http-nio-10600-exec-8,5,main]: TransactionId[0f6493db-02a6-45d8-8aa9-7c0571c85d77-267] Request for URI http://www.w3.org/2001/04/xmlenc#aes256-cbc org.apache.xml.security.encryption.XMLCipher:09/10/2016 11:24:52:559 AM UTC: Thread[http-nio-10600-exec-8,5,main]: TransactionId[0f6493db-02a6-45d8-8aa9-7c0571c85d77-267] JCE Algorithm = AES/CBC/ISO10126Padding libSAML2:09/10/2016 11:24:52:559 AM UTC: Thread[http-nio-10600-exec-8,5,main]: TransactionId[0f6493db-02a6-45d8-8aa9-7c0571c85d77-267] ERROR: FMEncProvider.decrypt: Failed to decrypt data. org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size Original Exception was java.security.InvalidKeyException: Illegal key size at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1762) at org.apache.xml.security.encryption.XMLCipher.decryptElement(XMLCipher.java:1618) at org.apache.xml.security.encryption.XMLCipher.doFinal(XMLCipher.java:932) at com.sun.identity.saml2.xmlenc.FMEncProvider.decrypt(FMEncProvider.java:621)
Recent Changes
The IdP and/or SP (whether remote or hosted) generated a signing key with 256-bit AES encryption.
Causes
Java® 8 and earlier does not support keys with 256-bit AES encryption by default; only 128-bit AES encryption is supported. The following line in the debug log indicates that a key with 256-bit AES encryption is being used:
Request for URI http://www.w3.org/2001/04/xmlenc#aes256-cbcSolution
This issue can be resolved by installing the Oracle® Java JCE unlimited strength jars. These jars can be downloaded from the following link for Java 8 and earlier: Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files Download. Java 9 and later uses the unlimited policy files by default.
You should then install these jar files in the $JAVA_HOME/jre/lib/security/ directory and restart the web application container in which AM runs.
See Also
Signature algorithm is not supported error when verifying a signed SAML assertion in AM 5.x or 6.x
Related Training
N/A
Related Issue Tracker IDs
OPENAM-7607 (OpenAM should implement "Metadata Profile for Algorithm Support")