Profile Creation on WebSphere Application Server Fails with Certificate Error

We installted WebSphere Application Server and recieved the following error when creating a profile:

Caused by: java.lang.SecurityException: Cannot
set up certs for trusted CAs
 at javax.crypto.b.clinit(Unknown Source)
 at java.lang.J9VMInternals.initializeImpl(Native Method)
 at java.lang.J9VMInternals.initialize(
 ... 63 more
Caused by: java.lang.SecurityException: Jurisdiction policy
files are  not signed by trusted signers!
 at javax.crypto.b.a(Unknown Source)
 at javax.crypto.b.a(Unknown Source)
 at javax.crypto.b.access$600(Unknown Source)
 at javax.crypto.b$ Source)

The ‘Jurisdiction Policy Files’ are the cryptographic jars found in the security directory of your Java Runtime Environment. They control what encryption algorithms are allowed in your country based on U.S. Export policy. Usually what you need to do is grab the unrestricted ones from the IBM Java website and then overwrite the ‘resticted (less functional)’ ones after server installation but before profile creation.

I dug a little deeper into the issue and found that in, the IBM Restricted/Unrestricted cryptographic export jars were updated. I hear that it had something to do with the signing of the jars expiring since they’ve been around so long. So if you stick with restricted the ones that are included in the fixpack, you’ll find that you are unable to create a profile successfully.

The fix is to go and overwrite those restricted jars with the unrestricted copies provided by IBM. Hopefully they’ll get packaged into an official ifix pack or something.

* I do wonder though if we’ve run into this error because we didn’t apply a server JDK fixpack to the server or something along those lines, but this is mere speculation. Maybe one of my more experienced colleagues will install a server and tell me that they didn’t get this error.

Author: dan


  1. Pingback: Follow up to Profile Creation Fails on WebSphere Java Juristiction Policy Files |

Leave a Reply

Your email address will not be published. Required fields are marked *