Is RSA supported by SunJCE?

Similar Messages

• RSA Support in JDK 1.2.2

  I am trying to figure out exactly which versions of java support RSA signature generation and verification. Precisely, I want to know if I can sign and verify using JDK 1.2.2 (without JCE). If not, do I need to get a provider that supports it, or will the JCE do the trick? The documentation seems a little vauge on these points.
  I saw a note about RSA support in 1.3. Wa 1.3 the first version to support it? If so, why does the API in 1.2.2 have RSA specific classes (e.g., RSAPrivateKeySpec )?
  Thanks,
  Patrick

  You can either use free JCE provider or free crypto library with your JDK 1.2.2 or even 1.1.8. The name of that JCE provider, cleanroom JCE implementation and that library at the same time is BouncyCastle - http://www.bouncycastle.org/
  You can strip not required classes and have about 50..100k jar with RSA-related functionality.
  By the way, what is the reason to support that slow and buggy JDK 1.2.2?

• RSA Implementation for SunJCE Provider

  Hello there!
  I just would like to inquire if there are plans/news for the sun developers to include the RSA Algorithm as part of the cryptographic services available in the pre-installed SunJCE Provider? If so, when?
  Thanks.
  Regards,
  Ronron

  Which RSA algorithm are you looking for? BTW Sun has 4
  JCE providers: SUN, SunJCE, SunRsaSign, SunJSSE.I am referring to the SunJCE Provider, which is
  already included in the latest Java 2 SDK, v 1.4
  release. Those 4 providers are from JDK 1.4
  I am looking for the RSA Algorithm for
  encryption/decryption of data. Because I believe that
  it would be very helpful when the SunJCE would include
  the implementation of that algorithm since the
  provider had been pre-installed in the latest Java 2
  SDK.
  Do you have any idea?I believe they still don't want to have any issues with US export restrictions, especially with that little case when someone need to use RSA encryption. So, they let you to use any 3rd part JCE provider. And there is such a good one for free. Look at the BouncyCastle.

• AES support in SunJCE

  Hi,
  Does anyone know when SunJCE will support AES. I tried to experiment with 1.4.2 version and didnt see any support. However IBM JCE ( comes with the 1.4.2 version) seems to have support for it.
  Thanks.
  Sunitha.

  sorry!
  Actually, I was trying out with 1.4.1 jvm and hence AES wasnt working.
  However, sun jce in 1.4.2 AES is supported.
  Sunitha.

• "Cannot find any provider supporting RSA/ECB/PKCS1Padding" in jdk5

  i use SSLSocket, HttpsURLConnection in program , run well in jdk1.4 but
  get wrong in jdk1.5.0_06, saying "Cannot find any provider supporting RSA/ECB/PKCS1Padding".
  i also try to use the "Unlimited Strength Jurisdiction Policy Files 5.0", but still not work.
  anyone knows why?
  thanks.

  I need more info to tell you exactly. But here are some thngs that might not be working.
  1st let me say I am assuming you are trying RSA encryption?
  1) You have an external JCE provider which provides RSA support installed on your machine using the security properties file. An applet would use a different properties file if you are using either RAW applet or the plugin. You need to add the provider explictly. Aka Security.addProvider(new org.cryptix.jce.Criptix());
  2) The external provider's jar file is not being downloaded with your applet code. Note that the Sun Java plugin does not use the same jre/lib/ext directory as does the JDK.
  3) Some sort of security violation in the SecurityManager of the applet engine if you are not using the Sun Java Plugin.
  Those are just guesses. but it might help if you were to inform us as to what RSA function youa re trying to do. AKA Signature or Cipher.
  Signatures would be a bit more complicated as at least JDK 141 and above have the SunRsaSigner built in. Again if you are using RAW applets (netscape/IE engine) then that would be the problem. (aka no provider installed).

• AAA Authorization with RADIUS and RSA SecurID Authentication Manager

  Hi there.
  I am in the process of implementing a new RSA SecurID deployment, and unfortunately the bulk of the IOS devices here do not support native SecurID (SDI) protocol. With the older RSA SecurID deployment version, it supported TACACS running on the system, now in 8.x it does not.  Myself, along with RSA Support, are having problems getting TACACS working correctly with the new RSA Deployment, so the idea turned to possibly just using RADIUS
  I have setup the RADIUS server-host, and configured the AAA authentication and authorization commands as follows:
  #aaa new-model
  #radius-server host 1.1.1.1 timeout 10 retransmit 3 key cisco123!
  #aaa authentication login default group radius enable
  #aaa authorization exec default group radius local
  I have also tried
  #aaa authorization exec default group radius if-authenticated local
  I can successfully authenticate via SSH to User Mode using my SecurID passcode -- however, when I go to enter Priv Exec mode, it wont take the SecurID passcode - I just get an "access denied"
  I've ran tcpdump on the RSA Primary Instance, looking for 1645/1646 traffic, and I dont get anything
  I've turned on RADIUS debugging on the IOS device, and I dont get anything either
  I did see this disclaimer in a Cisco doc: "The RADIUS method does not work on a per-username basis."  -- not sure if this is related to my issue?
  I'm beginning to wonder if IOS/AAA cant pass authorization-exec process to RSA SecurID

  I don't have a solution, but can confirm I have the same problem and am also trying to find a solution.
  I see no data sent to the RSA server when using the wireless AP. With other equipment on the same ACS, I do see the attempts going to the RSA server.
  The first reply doesn't seem to apply to me, since it's not sending a request from the ACS machine to the RSA machine.

• MfE - 2stage logon with RSA token, possible?

  I'm finally able to use Exchange 2003 SP2 on OWA on my PC via IEv7.
  However, in order to use OWA at home I have 2 issues that I cannot figure out what to do with MfE.
  1. 2 stage logon.
  - First logon is the site logon id & pw. I work for a bank and as such security is its focus; gladly not a hinderance. I have a 2 stage logon because the AD ID I have is set for supporting 1 area of the bank while my access allows certain admin rights.
  - Thus my first logon is not the same as my AD. This enables a certificate to be installed into IE v7. This worked on MfE initially.
  - The second stage logon requires my AD account logon ID, and the pw uses my PIN+Tokencode (RSA hardtoken generated). 
  2. Although RSA supports S60 there is nothing on the web or on their site show a trial or full working application for download OR purchase. It supports S60 3rd Edition
  Now can MfE or any other software help me out in this situation.

  So I found RSA's link to purchasing the software ...
  http://www.rsa.com/node.aspx?id=3388
  BUT it asks you to basically register.
  Technical Specifications
  Currently shipping version: RSA SecurID® Token 2.20 for Symbian OSTM and UIQ
  Device requirements: Symbian OSTM 9.1 or higher UIQ 3.0 or higher
  Required components: RSA® Authentication Manager (5.1 or later required for AES token support; 6.1 recommended)
  AES (128-bit) token seeds
  Ordering options: AES (128-bit) token seeds available in 6-month and 1-, 2-, 3-, 4-, 5-, and 10-year lifetime configurations.
  Pricing and availability: RSA® SecurID Token 2.20 for Symbian OSTM and UIQ is available free of charge through RSA.
  Download RSA SecurID Token 2.20 for Symbian OSTM and UIQ, including documentation
  Token seeds are available through RSA sales channels.

• ACS 4.2 with multiple RSA secure ID token servers

  Hi all,
  I have a question which I couldn't find an answer to so far.  Below is a very brief explaination of what I have and what I need to do.
  What I have:
  1- An ACS 4.2 server installed on win 2003 with RSA agent installed.
  2- A RSA Secure ID Token Authentication manger 7.1
  The problem:
  Due to lost RSA master password I am unable to back the DB up and upgrade RSA AM 7.1 to 7.1 SP4.
  So far all the solution I have found and been told to do by RSA support have not enabled me to recover the lost password.
  What I want to do:
  I want to install a fresh copy of RSA AM 7.1 SP4 on Win 2008 R2
  Since I can't make a DB backup from the running RSA, once I install the fresh copy I will migrate users one by one
  My question:
  This is a very busy production environment and users can't tolorate down time at all.
  I need to keep everything running, I need to know if it is possible to have 2 RSA data sotres setup within ACS 4.2 or not?
  And if so, will migrated users to the new RSA installation be still able to authenticate or not?
  Can ACS send multiple authentication request simultaneously or not? And what happenes if a user is present in both instances of RSA, old and new?
  Thanks,
  Khash

  I have this setup and working. Set up an external database connection on the ACS for a RADIUS server (not RSA) and setup your RSA server with the RADIUS shared secret. Check IP connectivity between both,and make sure that the RSA server is the first database to be queried. Here you are just using Radius to pass through the auth from the ACS to the RSA server.

• Upgrade to j2sdk1.4.0_2 problems

  (I am a beginner at Java!)
  I recently installed the latest version (j2sdk1.4.0_2) under WINNT in order to have a go at the new crypto stuff. I also want to use Cryptix, who have a freeware for RSA support.
  I get some strange results.
  1)
  In one case I compile in a Command Window and javac cannot find the 'import java.security.cert.*;'. But another sample program in an adjacent directory compiles just fine.
  I suspect it has to do with the environment variables. On my system there are various version of Java installed.
  2)
  What is even stranger is that the program which compiles gives an error with the Cryptix library. However, when I run the same program under J++ (which someone suggested I install) it compiles and executes OK.
  Can someone give me some guidance?

  Unless you thoroughly understand how path and classpath work, and how Java finds files and classes, and the details of setting up multiple Java environments, I recommend that you remove all but one Java version.
  btw - version 1.4.1_01 is the most current.

• Cannot set up certs for trusted CAs going from 1.4.2_03 to 1.4.2_13

  Getting a wierd issue with "Cannot set up certs for trusted CAs" This works if we are using anything less then 1.4.2_07, but the minute we install 1.4.2_07 or 13 as the case may be we get the following Exception:
  log9: java.lang.ExceptionInInitializerError
  log9: at javax.crypto.Cipher.a(DashoA12275)
  log9: at javax.crypto.Cipher.getInstance(DashoA12275)
  log9: at com.gm.gwm.common.util.AesUtil.encrypt(AesUtil.java:31)
  log9: at com.gm.gwm.common.data.OfflineAuthenticatorDao.updatePassword(OfflineAuthenticatorDao.java:645)
  log9: at com.gm.gwm.common.service.OfflineAuthenticatorService.updatePassword(OfflineAuthenticatorService.java:141)
  log9: at main.jspService(_main.java:156)
  log9: at oracle.jsp.runtime.HttpJsp.service(HttpJsp.java:119)
  log9: at oracle.lite.web.JupServlet.service(Unknown Source)
  log9: at oracle.lite.web.JspRunner.service(Unknown Source)
  log9: at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  log9: at oracle.lite.web.JupServlet.service(Unknown Source)
  log9: at oracle.lite.web.MimeServletHandler.handle(Unknown Source)
  log9: at oracle.lite.web.JupApplication.handle(Unknown Source)
  log9: at oracle.lite.web.JupApplication.service(Unknown Source)
  log9: at oracle.lite.web.JupHandler.handle(Unknown Source)
  log9: at oracle.lite.web.HTTPServer.process(Unknown Source)
  log9: at oracle.lite.web.HTTPServer.handleRequest(Unknown Source)
  log9: at oracle.lite.web.JupServer.handle(Unknown Source)
  log9: at oracle.lite.web.SocketListener.process(Unknown Source)
  log9: at oracle.lite.web.ClientListener.process(Unknown Source)
  log9: at oracle.lite.web.SocketListener$ReqHandler.run(Unknown Source)
  log9: Caused by: java.lang.SecurityException: Cannot set up certs for trusted CAs
  log9: at javax.crypto.SunJCE_b.<clinit>(DashoA12275)
  log9: ... 21 more
  log9: Caused by: java.lang.IllegalStateException: Already connected
  log9: at java.net.URLConnection.setUseCaches(Unknown Source)
  log9: at sun.net.www.protocol.jar.JarURLConnection.setUseCaches(Unknown Source)
  log9: at javax.crypto.SunJCE_d.a(DashoA12275)
  log9: at javax.crypto.SunJCE_b.g(DashoA12275)
  log9: at javax.crypto.SunJCE_b.f(DashoA12275)
  log9: at javax.crypto.SunJCE_t.run(DashoA12275)
  log9: at java.security.AccessController.doPrivileged(Native Method)
  Not sure what we are doing wrong.
      public static String encrypt(String value) throws AesException {
            try {
                 SecretKeySpec secKeySpec = new SecretKeySpec(fromHexString(encyptKey), algorithm);
                 Provider provider = new SunJCE();
                Security.addProvider(provider);
              Cipher cipher = Cipher.getInstance(algorithm, provider);
                 cipher.init(Cipher.ENCRYPT_MODE, secKeySpec);
                 byte[] encryptedBytes = cipher.doFinal(value.getBytes());
                 return toHexString(encryptedBytes);
            } catch (Exception e) {
                 throw new AesException(e);
       }

  I added that late just in case, for some strange reason, the provider wasn't getting picked up.
  Here is the list of available providers:
  log9: SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; JKS keystore
  ; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores)
  log9: Sun JSSE provider(implements RSA Signatures, PKCS12, SunX509 key/trust factories, SSLv3, TLSv1)
  log9: SUN's provider for RSA signatures
  log9: SunJCE Provider (implements DES, Triple DES, AES, Blowfish, PBE, Diffie-Hellman, HMAC-MD5, HMAC-SHA1)
  log9: Sun (Kerberos v5)
  log9: java.lang.ExceptionInInitializerError
  The minute I rollback to an older JVM this works.

• External DB [SecurID.dll]: Failed to load 'aceclnt.dll'

  Hi all,
  ACS refuse to start, possibly after windows 2000 upgrade. The error message in the csauth log is :
  ADMN 05/05/2006 08:42:11 E 0360 1824 External DB [SecurID.dll]: Failed to load 'aceclnt.dll'
  ADMN 05/05/2006 08:42:11 E 0547 1824 AuthenLoadLibrary: DLL for RSA SecurID Token Server initialization function failed
  ADMN 05/05/2006 08:42:11 E 0028 1824 Exception trapped at D:\ccData\snapViews\Snap_rgoren_matis-build11@ismg_israel_acs@ACS-B-394\ismg_israel_acs\Acs\DZAuth\authentication_common.c:631 [Exception trapped in AuthenLoadSupplier]
  I have try to suppress windows update, but the problem is always here, this services refuses to start :
  * csradius
  * cstacas
  * csadmin
  * csauth
  Any ideas ??

  Hmm, the exception definately shouldnt happen - no matter what else may have occurred on your machine.
  Have you ever used the RSA authenticator? The aceclnt.dll is supplied by RSA and installed into system32 when you install the RSA client tools CD.
  If yes, its possible the OS upgrade managed to nuke the DLL accidentally. ALthough the error message "Failed to load aceclnt.dll" is actually quite normal. I get this and dont have RSA support installed.
  I think this will require a call to the TAC as you probably need a developer to track the crash... the sort thing I used to do!
  Darran

• BouncyCastle in J2ME??

  anyone tried to use bouncycastle api for J2ME??? Since the package is large ,so it makes the midlet become large as well. Anyone know what to make it smaller?
  Is is possible to just copy the neccessary .java file to my application?
  Please help

  Sign the BouncyCastle mailing list, or search it:
  http://www.bouncycastle.org/mailing_lists.html
  http://www.bouncycastle.org/devmailarchive/index.html
  Usually when using J2ME, before you package your app, you must run some utility that determines the minimum subset of classes that are used by your application. For instance, if you will need to use DES only, you do not need to include RSA support.
  Probably you have read this article about J2ME and BouncyCastle:
  http://www.javaworld.com/javaworld/jw-12-2002/jw-1220-wireless.html

• Selecting a Cipher transformation

  How does one decide what transformation String to send to Cipher.getInstance()?
  The JCE reference says the string is in the form algorithm/mode/padding as in this following example:
  Cipher.getInstance("DES/ECB/PKCS5Padding");
  How does one decide which algorithm/mode/padding combination to use?
  There is some information in the JCA reference and the JCE reference, but not much about which algorithm to use. Also I have not found anything about what the "mode" part in the middle is.

  There are some factors that dictate the choosing of algorithms:
  - Will you control both the encrypting and decrypting side?
  - Are the algorithms homologated by the customer? (Some customers use only DES or Triple-DES, but don't use AES because it is a relatively new algorithm.)
  - Do the available toolkits process the algorithms? (AES is a recent addition to Java, for instance; if you need to use it in older Java versions, you will need to resort to third-party, like BouncyCastle or Cryptix, or RSA JSAFE.).
  - Must you implement or use some standard (like S/MIME or OpenPGP)? You will have to use only the algorithms dictated by the particular standard - for instance, if you use S/MIME, you will have to implement RC2/40 bits, even knowing that such combination is weak - but you are not required to use RC2/40 - probably you will require that all S/MIME communication uses Triple-DES/168 bits, even having to patch all your Outlook clients with the 128-bit update. Only very, very recent S/MIME clients support AES (it was recently standardized).
  My personal recommendations (not knowing your real needs): Use AES for symmetrical cryptography, and RSA for asymmetrical (public-key) cryptography. RSA support is almost universal between the toolkits (even plain JDK 1.3 can verify and sign messages using RSA) and AES can be easily implemented if not available. But you must take this only as an advice.
  If you need to use RC4, take a lot of care, because if incorrectly used, it is very weak. Read the crypto books if you need to use RC4.

• Access Reject with 1660

  Hi,
  I'm still trying to configure a iChain 2.3 Box with RSA ACE
  Authentication. It works fine with LDAP, but not with Token.
  I stored the sdconf.rec File in the eDirectory and after trying to log in
  with NTRADPING or iChain I receive Access Reject on the Debug Screen of
  the Radius. Also the Error -1660 appears.
  When I activate the Activity Monitor on the ACE Server, I do not see any
  messages - do I miss something? I configured the whole thing with TID
  10069755 - even I did not the Point5, because the Usernames are the same.
  But when I try to add the Login Name to the Login Method, I receive a
  Error 1418.
  Could not find something helpful at the RSA Support Page.
  Any help would be appreciated.
  Thanks
  Tom

  It appears that the server cannot load the NLM that implements the Login
  Server Method (LSM) the RSA Ace/Agent method. I'm not sure exactly what
  error 6 is, but I have encountered this in the past on rare occasions. As I
  recall, this means that the NetWare loader failed to load an NLM, and in
  most cases that I've seen, its been due to a corrupt NLM.
  NMAS stores LSMs in eDirectory. You'll notice one or more .lmo files in the
  same directory as the config.txt file for each method. These are the LSMs
  for the method. When you install a login method, these LMO files are stored
  in eDirectory stream attributes on the login method object for the method.
  When the NMAS server starts, it reads the LMO out of the stream attribute
  that corresponds to the server platform. The NMAS server then extracts the
  NLM for the LSM, and loads it.
  It could be that one of the LMO files you're installing is corrupt, or it
  could be that eDirectory is not synchronizing the stream attributes properly
  between replicas. I suggest installing a known good copy of the method, or
  downloading a new copy of the method from RSA. You may also want to run
  DSRepair to make sure that you Security Container replicas are consistent.
  I recall seeing this error a few years ago when methods were installed from
  ConsoleOne on Win98 clients. This was due to a bug in Client32's handling of
  the stream attributes on Win9x platforms. This was before we shipped NMAS
  2.0, so I'm sure the problem has been fixed by now. However, if you happen
  to be installing methods from a Win98 workstation, it might be worthwhile to
  try a NT/2k/XP workstation instead.
  >>> <[email protected]> 09/14/04 8:53 AM >>>
  Scott,
  of course you were right again. The RSA Sequence is not valid - but why?
  I downloaded and installed the RSA Agent from the RSA Site. The
  installation is pretty simple, like another NMAS Login Method from
  ActivCard or so.
  Do you have a tip what to do with that error? Thanks again
  Below is the Trace screen from NMAS.
  Thank you so much.
  Regards, Tom
  Tuesday, 14 Sep 2004
  16:49:29 8C70C3A0 NMAS: 57: Create NMAS Session
  16:49:29 8C70C3A0 NMAS: 57: RemoteCheckIfLocalUser checking tbo.xx.xx.
  16:49:29 8C70C3A0 NMAS: 57: RemoteCheckIfLocalUser is a local user.
  16:49:29 8C70C3A0 NMAS: 57: Server thread started
  16:49:29 8C70C3A0 NMAS: 57: NMAS_CanDo StartClientSession 0
  16:49:29 8C70C3A0 NMAS: 57: >>ClientPut: message size=8 queue Size 0
  16:49:29 8C70C3A0 NMAS: 57: >>ClientPut: message size=15 queue Size 8
  16:49:29 8C70C3A0 NMAS: 57: NMAS_CanDo sendMessage 0
  16:49:29 8C70C3A0 NMAS: 57: <<ClientGet: message size=8 queue Size 0
  16:49:29 8C4AD260 NMAS: 57: >>ServerGet: message size=8 queue size 23
  16:49:29 8C4AD260 NMAS: 57: >>ServerGet: message size=15 queue size 15
  16:49:29 8C4AD260 NMAS: 57: CanDo
  16:49:29 8C4AD260 NMAS: 57: Sequence Selected == "RSA ACE Agent"
  16:49:29 8C4AD260 NMAS: 57: Login Sequence RSA ACE Agent not valid.
  16:49:29 8C4AD260 NMAS: 57: Login Sequence lsmafp is valid.
  16:49:29 8C4AD260 NMAS: 57: Login Sequence lsmafp is valid.
  16:49:29 8C4AD260 NMAS: 57: Login Sequence NDS is valid.
  16:49:29 8C4AD260 NMAS: 57: Login Sequence lsmcifs is valid.
  16:49:29 8C4AD260 NMAS: 57: ERROR: -1660 CanDo
  16:49:29 8C4AD260 NMAS: 57: ERROR: -1660 NMAS Manager
  16:49:29 8C4AD260 NMAS: 57: <<ServerPut: message size=8 queue size 0
  16:49:29 8C4AD260 NMAS: 57: <<ServerPut: message size=4 queue size 8
  16:49:29 8C4AD260 NMAS: 57: >>ServerGet: message size=8 queue size 0
  16:49:29 8C70C3A0 NMAS: 57: <<ClientGet: message size=4 queue Size 4
  16:49:29 8C70C3A0 NMAS: 57: NMAS_CanDo sendMessage 0
  16:49:36 C8868400 NMAS: NMAS Enterprise Edition
  16:49:36 C8868400 NMAS: NMAS Login Policy Refresh Started
  16:49:36 C8868400 NMAS: processLMOs: Login Method Object lsmafp
  16:49:36 C8868400 NMAS: Loading LSM Method ID: 0xE Grade: 0x800000 MIB: 0
  Flags: 0x1
  16:49:36 C8868400 NMAS: ERROR: -602 processModule: Read LCM Code
  16:49:36 C8868400 NMAS: processLMOs: Login Method Object lsmcifs
  16:49:36 C8868400 NMAS: cacheLMO: Method ID Attribute not found
  16:49:36 C8868400 NMAS: Loading LSM Method ID: 0xD Grade: 0x4800000 MIB: 0
  Flags: 0x1
  16:49:36 C8868400 NMAS: ERROR: -602 processModule: Read LCM Code
  16:49:36 C8868400 NMAS: processLMOs: Login Method Object NDS
  16:49:36 C8868400 NMAS: processLMOs: Login Method Object RSA ACE Agent
  16:49:36 C8868400 NMAS: Loading LSM Method ID: 0x60 Grade: 0x4C00000 MIB:
  0 Flags: 0x0
  16:49:36 C8868400 NMAS: ERROR: 6 processModule: Load Module
  16:49:36 C8868400 NMAS: ERROR: 6 processModule: Failed for module RSA ACE
  Agent
  16:49:36 C8868400 NMAS: processLMOs: Login Method Object NDS Change
  Password
  16:49:36 C8868400 NMAS: Loading LSM Method ID: 0xC Grade: 0x0 MIB: 1
  Flags: 0x2
  16:49:36 C8868400 NMAS: ERROR: -602 processModule: Read LCM Code
  16:49:36 C8868400 NMAS: cacheLoginSeq: Parse sequence name lsmafp
  16:49:36 C8868400 NMAS: cacheLoginSeq: Parse method name lsmafp
  16:49:36 C8868400 NMAS: cacheLoginSeq: Login method lsmafp
  16:49:36 C8868400 NMAS: cacheLoginSeq: Parse sequence name lsmafp
  16:49:36 C8868400 NMAS: cacheLoginSeq: Parse method name NDS
  16:49:36 C8868400 NMAS: cacheLoginSeq: Login method NDS
  16:49:36 C8868400 NMAS: cacheLoginSeq: Parse sequence name NDS
  16:49:36 C8868400 NMAS: cacheLoginSeq: Parse method name NDS
  16:49:36 C8868400 NMAS: cacheLoginSeq: Login method NDS
  16:49:36 C8868400 NMAS: cacheLoginSeq: Parse sequence name lsmcifs
  16:49:36 C8868400 NMAS: cacheLoginSeq: Parse method name lsmcifs
  16:49:36 C8868400 NMAS: cacheLoginSeq: Login method lsmcifs
  16:49:36 C8868400 NMAS: cacheLoginSeq: Parse sequence name RSA ACE Agent
  16:49:36 C8868400 NMAS: cacheLoginSeq: Parse method name RSA ACE Agent
  16:49:36 C8868400 NMAS: cacheLoginSeq: Invalid method RSA ACE Agent
  16:49:36 C8868400 NMAS: cacheLoginSeq: Invalid sequence -- no valid
  methods RSA ACE Agent
  16:49:36 C8868400 NMAS: NMAS Login Policy Refresh Finished
  > The -1660 error is an NMAS error for "login sequence not found." This
  > usually means that the server is not loading one of the methods in the
  login
  > sequence for some reason. Sometimes you can force NMAS to load a method
  by
  > entering "nmas refreshpolicy" at the server console. If this does not
  work,
  > then it would be helpful to see some trace output from the "nmas
  > refreshpolicy" command. TID 10092261 tells you how to get trace output
  from
  > NMAS.
  >
  > The -1418 error you're getting is the result of tree key problems that
  your
  > customer must have had in the past. This would be the same problem that
  > caused the -1418 error you were getting while trying to store the
  sdconf.rec
  > file. There is data stored in your customer's environment that was
  encrypted
  > with their old tree key, and they're likely to get this error each time
  they
  > encounter this data. Your sdconf.rec file problem was due to encrypted
  data
  > stored on the "RSA/Ace Agent" object, and your current problem is due to
  > data stored on specific user objects. Delete the same attributes
  (SAS:Login
  > Configuration, SAS:Login Configuration Key, SAS:Login Secret, SAS:Login
  > Secret Key) from users that get the -1418 error, and the problem should
  go
  > away.
  >
  > That being said, since the usernames on the ACE/Server are the same as
  > users' common names in eDirectory, you don't need assign each user a name
  > for the RSA method.
  >
  > >>> <[email protected]> 09/14/04 4:24 AM >>>
  > Hi,
  > I'm still trying to configure a iChain 2.3 Box with RSA ACE
  > Authentication. It works fine with LDAP, but not with Token.
  >
  > I stored the sdconf.rec File in the eDirectory and after trying to log
  in
  > with NTRADPING or iChain I receive Access Reject on the Debug Screen of
  > the Radius. Also the Error -1660 appears.
  >
  > When I activate the Activity Monitor on the ACE Server, I do not see any
  > messages - do I miss something? I configured the whole thing with TID
  > 10069755 - even I did not the Point5, because the Usernames are the
  same.
  > But when I try to add the Login Name to the Login Method, I receive a
  > Error 1418.
  > Could not find something helpful at the RSA Support Page.
  > Any help would be appreciated.
  > Thanks
  > Tom
  >
  >

• SunJCE Provider doesn't support RSA for all version of JCE?

  Folks,
  Have browsed through the forum and it seems that the JCE provider bundled with JCE and JDK1.4+ do nothing on RSA. Can I make this conclusion?

  But it seems the SunJCE doesn't provide the RSA (and
  AES, who knows what else is missing) encryption and
  decryption functions. Can anyone list what is missing
  from the SunJCE? Also, from the forum, many have
  pointed to this bounty castle provider. Can any of
  you guys who are familiar with this provider give us
  the procedure of installation? Thanks.I wouldn't use the term 'missing' here. Sun provides some basic cryptographic functions and that all. If you want more, get another provider. Sun will never be able to provide every possible algorithm. That's why they have implemented the external provider option. So no, I cannot list what is missing.
  I can tell you that other providers, for instance BouncyCastle offer much more cryptographic functions. Installation is very easy. Just download the .jar and put it in your <java>\jre\lib\ext directory. After that you can use it in you programs with the following code:
  Provider prov = new org.bouncycastle.jce.provider.BouncyCastleProvider();
  Security.addProvider(prov);You can also install it so that you don't have use this code in every program that uses the provider. How this is accomplished, can be found in the install manual from BouncyCastle.