Skip to main content
Version: 25.2.0

Portal Dedicated On-boarding - SSL keytool error when converting controller.keystore.p12 into Java keyStore

If the keytool command used to convert the sample Waratek keyStore controller.keystore.p12 into a Java keyStore;

<path_to_jdk>/bin/keytool -importkeystore -srckeystore controller.keystore.p12 -srcstoretype pkcs12 -srcalias controller -destkeystore war_keystore.jks -deststoretype jks -deststorepass password -destalias WaratekMCCert

fails on older JDK6 and JDK7 with the following error;

keytool error: java.io.IOException: parseAlgParameters failed: DER input not an octet string

the cause is likely due to lack of support for TLSv1.2 in the JDK. One solution to this problem, is the addition of external Bouncy Castle dependencies and modification of the JDKs java.policy file, is as follows;

a) Update the JDK’s jre/lib/security/ directory with the most recent Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files local_policy.jar and US_export_policy.jar. These policy files are available to download from Oracle as a zip file. Make sure to download the zip file for the particular Java version.

cp local_policy.jar <jdk>/jre/lib/security/
cp US_export_policy.jar <jdk>/jre/lib/security/

b) Download the following three Bouncy Castle jar files, and copy all three jarfiles into the <jdk>/jre/lib/ext directory.

bcprov-jdk15to18-1.71.jar
bctls-jdk15to18-1.71.jar
bcutil-jdk15to18-1.71.jar

c) Modify the <jdk>/jre/lib/security/java.security file. Comment out each security.provider line using a # character, as follows;

# security.provider.1=sun.security.provider.Sun
# security.provider.2=sun.security.rsa.SunRsaSign
# security.provider.3=com.sun.net.ssl.internal.ssl.Provider
# security.provider.4=com.sun.crypto.provider.SunJCE
# security.provider.5=sun.security.jgss.SunProvider
# security.provider.6=com.sun.security.sasl.Provider
# security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
# security.provider.8=sun.security.smartcardio.SunPCSC

and then add the following extra lines to the same java.security file;

# Add the Bouncy Castle security providers with higher priority
security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider

# Original security providers with different priorities
security.provider.3=sun.security.provider.Sun
security.provider.4=sun.security.rsa.SunRsaSign
security.provider.5=com.sun.net.ssl.internal.ssl.Provider
security.provider.6=com.sun.crypto.provider.SunJCE
security.provider.7=sun.security.jgss.SunProvider
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.10=sun.security.smartcardio.SunPCSC

# Here we are changing the default SSLSocketFactory implementation
ssl.SocketFactory.provider=org.bouncycastle.jsse.provider.SSLSocketFactoryImpl

Running the keytool command above should now succeed, and the Java keyStore should be created at the destination specified by the -destkeystore argument of the keytool command.