We installted WebSphere Application Server 18.104.22.168 and recieved the following error when creating a profile:
Caused by: java.lang.SecurityException: Cannot set up certs for trusted CAs at javax.crypto.b.clinit(Unknown Source) at java.lang.J9VMInternals.initializeImpl(Native Method) at java.lang.J9VMInternals.initialize(J9VMInternals.java:194) ... 63 more Caused by: java.lang.SecurityException: Jurisdiction policy files are not signed by trusted signers! at javax.crypto.b.a(Unknown Source) at javax.crypto.b.a(Unknown Source) at javax.crypto.b.access$600(Unknown Source) at javax.crypto.b$0.run(Unknown Source) at java.security.AccessController.doPrivileged (AccessController.java:246)
The ‘Jurisdiction Policy Files’ are the cryptographic jars found in the security directory of your Java Runtime Environment. They control what encryption algorithms are allowed in your country based on U.S. Export policy. Usually what you need to do is grab the unrestricted ones from the IBM Java website and then overwrite the ‘resticted (less functional)’ ones after server installation but before profile creation.
I dug a little deeper into the issue and found that in 22.214.171.124, the IBM Restricted/Unrestricted cryptographic export jars were updated. I hear that it had something to do with the signing of the jars expiring since they’ve been around so long. So if you stick with restricted the ones that are included in the 126.96.36.199 fixpack, you’ll find that you are unable to create a profile successfully.
The fix is to go and overwrite those restricted jars with the unrestricted copies provided by IBM. Hopefully they’ll get packaged into an official ifix pack or something.
* I do wonder though if we’ve run into this error because we didn’t apply a server JDK fixpack to the server or something along those lines, but this is mere speculation. Maybe one of my more experienced colleagues will install a server and tell me that they didn’t get this error.