如何使Weblogic 11gR2 (10.3.3) FIPS-140兼容

Question

我们的Ear应用程序托管在Weblogic 10.3.3服务器上。

此应用程序正在与BO4.1进行交互，我们现在试图连接到它时出现了这个错误：

    com.tranme.guide.commonservices.report.InteractionBOException: com.crystaldecisions.sdk.exception.SDKException$ConfidentialChannelFailed: Impossible d'굡blir un canal confidentiel. (FWM 02119)
cause:com.businessobjects.bcm.exception.FIPSError: Cryptographic library is not FIPS-140-compliant.
detail:Impossible d'굡blir un canal confidentiel. (FWM 02119) Cryptographic library is not FIPS-140-compliant.
  at com.tranme.guide.commonservices.report.CrystalReportHelper.getReportInfoObjectsByReportName(CrystalReportHelper.java:515)
  at com.tranme.guide.notificationmgt.manager.reports.util.ReportManagementTools.getReportInstanceStatuses(ReportManagementTools.java:81)
  at com.tranme.guide.notificationmgt.manager.reports.util.ReportManagementTools.getGenerationStatusResults(ReportManagementTools.java:51)
  at com.tranme.guide.notificationmgt.manager.BaseNotificationManager.updateReportGenerationStatus(BaseNotificationManager.java:217)
  at com.tranme.guide.notificationmgt.business.ejb.impl.NotificationManagementFacadeBeanImpl.updateReportGenerationStatus(NotificationManagementFacadeBeanImpl.java:123)
  at com.tranme.guide.notificationmgt.business.ejb.impl.NotificationManagementFacadeBeanImpl_z3lp9c_EOImpl.updateReportGenerationStatus(NotificationManagementFacadeBeanImpl_z3lp9c_EOImpl.java:140)
  at com.tranme.guide.notificationmgt.business.ejb.impl.NotificationManagementFacadeBeanImpl_z3lp9c_EOImpl_WLSkel.invoke(Unknown Source)
  at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:589)
  at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:230)
  at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:477)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:147)
  at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:473)
  at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Caused by: com.crystaldecisions.sdk.exception.SDKException$ConfidentialChannelFailed: Impossible d'굡blir un canal confidentiel. (FWM 02119)
cause:com.businessobjects.bcm.exception.FIPSError: Cryptographic library is not FIPS-140-compliant.
detail:Impossible d'굡blir un canal confidentiel. (FWM 02119) Cryptographic library is not FIPS-140-compliant.
  at com.crystaldecisions.sdk.occa.security.internal.ConfidentialChannelService.establishConfidentialChannel(ConfidentialChannelService.java:199)
  at com.crystaldecisions.sdk.occa.security.internal.ConfidentialChannelService.createConfidentialChannel(ConfidentialChannelService.java:145)
  at com.crystaldecisions.sdk.occa.security.internal.CCMap.locateCCItem(CCMap.java:63)
  at com.crystaldecisions.sdk.occa.security.internal.LogonService.doUserLogon(LogonService.java:845)
  at com.crystaldecisions.sdk.occa.security.internal.LogonService.doUserLogon(LogonService.java:805)
  at com.crystaldecisions.sdk.occa.security.internal.LogonService.userLogon(LogonService.java:210)
  at com.crystaldecisions.sdk.occa.security.internal.SecurityMgr.userLogon(SecurityMgr.java:166)
  at com.crystaldecisions.sdk.framework.internal.SessionMgr.logon_aroundBody0(SessionMgr.java:454)
  at com.crystaldecisions.sdk.framework.internal.SessionMgr.logon_aroundBody1$advice(SessionMgr.java:512)
  at com.crystaldecisions.sdk.framework.internal.SessionMgr.logon(SessionMgr.java:1)
  at com.tranme.guide.commonservices.report.CrystalReportHelper.getSession(CrystalReportHelper.java:156)
  at com.tranme.guide.commonservices.report.CrystalReportHelper.getReportInfoObjectsByReportName(CrystalReportHelper.java:502)
  ... 15 more
Caused by: com.businessobjects.bcm.exception.FIPSError: Cryptographic library is not FIPS-140-compliant.
  at com.businessobjects.bcm.internal.BcmRsaLib.CheckStartupErrors(BcmRsaLib.java:28)
  at com.businessobjects.bcm.internal.DHKeyAgreeImpl.<init>(DHKeyAgreeImpl.java:22)
  at com.businessobjects.bcm.BCM.createKeyAgreement(BCM.java:1080)
  at com.crystaldecisions.sdk.occa.security.internal.ConfidentialChannelService.establishConfidentialChannel(ConfidentialChannelService.java:175)
  ... 26 more

BO库位于weblogic类路径中(我之前的开发人员就是这样决定实现它们的)。

我已经尝试了SAP的论坛提出的解决方案，没有任何运气。

Answer 1

WLS11G需要为符合FIPS标准的SSL连接配置这些东西

• cryptojFIPS.jar被添加到PRE_CLASSPATH变量中(这样做与SAP 建议类似)
• 指定了命令行参数-Dweblogic.security.SSL.nojce=true。
• JVM有无限强度的JCE (更详细的对于WLS12C，但步骤类似)。这可能已经被设置好了。