Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Failed to instantiate Cipher object. Transformation RSA/NONE/OAEPWithSHA1...

3,427 views
Skip to first unread message

mpeppler@peppler.org [Team Sybase]

unread,
Sep 9, 2009, 9:11:44 AM9/9/09
to
Hi,

I'm getting this error:

JZ0LA: Failed to instantiate Cipher object. Transformation RSA/NONE/
OAEPWithSHA1
AndMGF1Padding is not implemented by any of the loaded JCE providers.

when trying to connect to an ASE 15.0.3 server and using the
ENCRYPT_PASSWORD connection property.

I found solved case 11508833 which says that this is related to the
new "net password encryption reqd" server configuration option, and
that if this option is set then you need to use a third party
encryption tool.

However, we don't have this option set on our servers.

Am I reading the case notes incorrectly, or is this a regression?

I'm using EBF 16903.

Thanks.

Michael

Neal Stack [Sybase]

unread,
Sep 9, 2009, 11:02:25 AM9/9/09
to mpeppler@peppler.org [Team Sybase]
Hello,

"net password encryption reqd" allows you to make ASE reject logins if
their password is not encrypted.

The error means that your encryption providers in your Java environment don't
support the level of encryption that jConnect is trying to use. As of
15.0 ESD#8, your configured JCE provider should be capable of supporting
the �RSA/NONE/OAEPWithSHA1AndMGF1Padding� transformation:
http://infocenter.sybase.com/help/topic/com.sybase.infocenter.dc20155.1500/html/newfesd/newfesd95.htm

jConnect relies on Java to connect to the server so you will need to setup your Java environment first.
For details on configuring Java Cryptography Extension (JCE):
http://docs.sun.com/app/docs/doc/819-3658/ablsc?a=view

1) I downloaded the following one from www.bouncycastle.org:
http://www.bouncycastle.org/download/bcprov-jdk16-143.jar

2) Copy it to the JRE extension directory that Sybase Central and DBISQL use:
%SYBASE%\Shared\JRE-6_0_6_32BIT\lib\ext\bcprov-jdk16-143.jar

3) Edit the list of security providers for this instance of Java.
Add Bouncy Castle to %SYBASE%\Shared\JRE-6_0_6_32BIT\lib\security\java.security
For example:
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
security.provider.10=sun.security.mscapi.SunMSCAPI

4) Now when you connect with jConnect and have ENCRYPT_PASSWORD enabled,
you password should be encrypted.

See the similar discussion I had about Sybase Central and DBISQL which both
use jConnect under the covers:
news://forums.sybase.com:119/4A8C00F4...@nospam.com

Regards,
Neal

Michael Peppler [Team Sybase]

unread,
Sep 9, 2009, 2:15:27 PM9/9/09
to
Thanks Neal.

I guess I didn't understand the case notes correctly (or they are a bit
vague) as I thought they meant that the "new" encryption is only used in
the case where the server has set the "net password encryption reqd" flag.

This is clearly not the way things work, and we've been able to use the
encryption providers included in the jConnect distribution (in EBF 16903,
at least) to get this to work.

Michael


On Wed, 09 Sep 2009 08:02:25 -0700, Neal Stack [Sybase] wrote:

> Hello,
>
> "net password encryption reqd" allows you to make ASE reject logins if
> their password is not encrypted.
>
> The error means that your encryption providers in your Java environment don't
> support the level of encryption that jConnect is trying to use. As of
> 15.0 ESD#8, your configured JCE provider should be capable of supporting

> the "RSA/NONE/OAEPWithSHA1AndMGF1Padding" transformation:

Neal Stack [Sybase]

unread,
Sep 9, 2009, 4:00:51 PM9/9/09
to Michael Peppler [Team Sybase]
Hi Michael,

Are "EccpressoFIPS.jar" and "EccpressoFIPSJca.jar" in your CLASSPATH?
http://infocenter.sybase.com/help/topic/com.sybase.infocenter.dc20155.1500/html/newfesd/CIHEGBHG.htm

I can reproduce your error by doing the following:

C:\Workspace\Java_Samples>pushd c:\sybase\jconnect-6_0\classes

C:\sybase\jConnect-6_0\classes>mkdir ECC

C:\sybase\jConnect-6_0\classes>move ECC*.jar ECC
C:\sybase\jConnect-6_0\classes\EccpressoFIPS.jar
C:\sybase\jConnect-6_0\classes\EccpressoFIPSJca.jar

C:\sybase\jConnect-6_0\classes>popd

C:\Workspace\Java_Samples>java CancelSql
Hello from CancelSql
Registered JDBC Drivers: sun.jdbc.odbc.JdbcOdbcDriver@60aeb0
com.sybase.jdbc3.jdbc.SybDriver@1d58aae
Message : JZ0LA: Failed to instantiate Cipher object. Transformation RSA/NONE/OAEPWithSHA1AndMGF1Padding is not implemented by any of the loaded JCE providers.
java.lang.NullPointerException
at CancelSql.doQuery(CancelSql.java:93)
at CancelSql.doSql(CancelSql.java:125)
at CancelSql.main(CancelSql.java:145)

Regards,
Neal

ma.d...@gmail.com

unread,
Oct 2, 2012, 11:00:42 AM10/2/12
to Michael Peppler [Team Sybase]
Hi,

I'm having the same problem, "java.sql.SQLException: JZ0LA: Failed to instantiate Cipher object. Transformation RSA/NONE/OAEPWithSHA1AndMGF1Padding is not implemented by any of the loaded JCE providers".

However, I have the Eccpresso files in the same directory as jconn4.jar. I looked at jconn4.jar decompiled, and it's just looking for those filenames, wherever on the classpath they may lie, so keeping them in the same folder should be fine. I've added them to the same group and owner and restarted the tomcat (coldfusion) server. What's weirdest about this is that it didn't work at first, then it worked for a short while, then stopped again. I don't have total control over this server but I'm most likely the only one working on it, and I didn't make any changes during the period when it worked and then didn't.

That is to say, sure, I must have done something, but I can't figure out what. Either that, or the database administrator--whom I am unable to communicate with--is changing something about the kind of encryption they are requiring on the back end. Is that a possibility? I seem to be just getting the one error message, JZ0LA, at every turn.
Message has been deleted

ma.d...@gmail.com

unread,
Oct 2, 2012, 11:10:28 AM10/2/12
to Michael Peppler [Team Sybase]
Okay, so I manually set the JCE_PROVIDER_CLASS in the connection string for one of my two connections to sybase, and they both started working. I'm assuming the connection is cached or something. I'll post back if it stops again.

sat.p...@gmail.com

unread,
Apr 24, 2015, 11:37:31 AM4/24/15
to
above solution worked for me as well.

Also i don't think we need to modfiy security file as well. so no need to update it to security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider

String strDriver="com.sybase.jdbc4.jdbc.SybDriver";
Class drvClass = Class.forName(strDriver);
DriverManager.registerDriver((Driver)drvClass.newInstance());
DriverManager.setLoginTimeout(900);
Connection con = DriverManager.getConnection("jdbc:sybase:Tds:SYBQA-WEB.na.blkint.com:14111/master?PRE_CACHE_DATATYPE_INFO=true&ENCRYPT_PASSWORD=true&JCE_PROVIDER_CLASS=org.bouncycastle.jce.provider.BouncyCastleProvider&RETRY_WITH_NO_ENCRYPTION=true&APPLICATIONNAME=Aqua_Data_Studio&HOSTNAME=LONVV0000007",username,password);
Statement stmt = con.createStatement();
ResultSet rs = stmt.executeQuery("select * from iib_gold_datamart_db..fund_id_map");
while (rs.next()) {
int x = rs.getInt("old_fund_id");
System.out.println(x);
int y = rs.getInt("new_fund_id");
System.out.println(y);

sat.p...@gmail.com

unread,
Apr 24, 2015, 11:37:52 AM4/24/15
to
0 new messages