One of the following errors is shown in the Federation debug log depending on whether AM is acting as the IdP or SP:
- Acting as the IdP and sending the response to the SP: ERROR: FMEncProvider.encrypt: Failed to do the final data encryption. com.sun.org.apache.xml.internal.security.encryption.XMLEncryptionException: Illegal key size or default parameters Original Exception was java.security.InvalidKeyException: Illegal key size or default parameters at com.sun.org.apache.xml.internal.security.encryption.XMLCipher.encryptData(XMLCipher.java:1074) at com.sun.org.apache.xml.internal.security.encryption.XMLCipher.encryptData(XMLCipher.java:1012) at com.sun.org.apache.xml.internal.security.encryption.XMLCipher.encryptElement(XMLCipher.java:761) at com.sun.org.apache.xml.internal.security.encryption.XMLCipher.doFinal(XMLCipher.java:872)
- Acting as the SP and receiving the response from the IdP: org.apache.xml.security.algorithms.JCEMapper:09/10/2016 11:24:52:559 AM UTC: Thread[http-nio-10600-exec-8,5,main]: TransactionId[0f6493db-02a6-45d8-8aa9-7c0571c85d77-267] Request for URI http://www.w3.org/2001/04/xmlenc#aes256-cbc org.apache.xml.security.encryption.XMLCipher:09/10/2016 11:24:52:559 AM UTC: Thread[http-nio-10600-exec-8,5,main]: TransactionId[0f6493db-02a6-45d8-8aa9-7c0571c85d77-267] JCE Algorithm = AES/CBC/ISO10126Padding libSAML2:09/10/2016 11:24:52:559 AM UTC: Thread[http-nio-10600-exec-8,5,main]: TransactionId[0f6493db-02a6-45d8-8aa9-7c0571c85d77-267] ERROR: FMEncProvider.decrypt: Failed to decrypt data. org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size Original Exception was java.security.InvalidKeyException: Illegal key size at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1762) at org.apache.xml.security.encryption.XMLCipher.decryptElement(XMLCipher.java:1618) at org.apache.xml.security.encryption.XMLCipher.doFinal(XMLCipher.java:932) at com.sun.identity.saml2.xmlenc.FMEncProvider.decrypt(FMEncProvider.java:621)
The IdP and/or SP (whether remote or hosted) generated a signing key with 256-bit AES encryption.
Java® 8 and earlier does not support keys with 256-bit AES encryption by default; only 128-bit AES encryption is supported. The following line in the debug log indicates that a key with 256-bit AES encryption is being used:Request for URI http://www.w3.org/2001/04/xmlenc#aes256-cbc
This issue can be resolved by installing the Oracle® Java JCE unlimited strength jars. These jars can be downloaded from the following link for Java 8 and earlier: Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files Download. Java 9 and later uses the unlimited policy files by default.
You should then install these jar files in the $JAVA_HOME/jre/lib/security/ directory and restart the web application container in which AM runs.