fx_bobj_logon fails on Sybase ASE / SAPJVM 1.8.0_121

[boskamp]

fx_bobj_logon: com.crystaldecisions.sdk.exception.SDKException$ConfidentialChannelFailed: Failed to establish confidential channel. (FWM 02119)cause:com.businessobjects.bcm.exception.FIPSError: Cryptographic library is not FIPS-140-compliant.detail:Failed to establish confidential channel. (FWM 02119) Cryptographic library is not FIPS-140-compliant.
    at com.crystaldecisions.sdk.occa.security.internal.ConfidentialChannelService.establishConfidentialChannel(ConfidentialChannelService.java:199)
    at com.crystaldecisions.sdk.occa.security.internal.ConfidentialChannelService.createConfidentialChannel(ConfidentialChannelService.java:145)
    at com.crystaldecisions.sdk.occa.security.internal.CCMap.locateCCItem(CCMap.java:63)
    at com.crystaldecisions.sdk.occa.security.internal.LogonService.doUserLogon(LogonService.java:855)
    at com.crystaldecisions.sdk.occa.security.internal.LogonService.doUserLogon(LogonService.java:815)
    at com.crystaldecisions.sdk.occa.security.internal.LogonService.userLogon(LogonService.java:211)
    at com.crystaldecisions.sdk.occa.security.internal.SecurityMgr.userLogon(SecurityMgr.java:177)
    at com.crystaldecisions.sdk.framework.internal.SessionMgr.logon_aroundBody0(SessionMgr.java:454)
    at com.crystaldecisions.sdk.framework.internal.SessionMgr.logon_aroundBody1$advice(SessionMgr.java:512)
    at com.crystaldecisions.sdk.framework.internal.SessionMgr.logon(SessionMgr.java:1)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:228)
    at org.mozilla.javascript.ScriptRuntime.call(ScriptRuntime.java:1222)
    at org.mozilla.javascript.gen.c41.call(fx_bobj_Session:104)
    at org.mozilla.javascript.ScriptRuntime.call(ScriptRuntime.java:1222)
    at org.mozilla.javascript.gen.c20.call(fx_bobj_logon:46)
    at com.sap.idm.ic.RunScript.execute(RunScript.java:175)
    at com.sap.idm.ic.RunScript.execute(RunScript.java:156)
    at com.sap.idm.ic.FromGeneric.init(FromGeneric.java:78)
    at com.sap.idm.ic.DSERunTime.runFromPass(DSERunTime.java:2055)
    at com.sap.idm.ic.DSERunTime.runPass(DSERunTime.java:3134)
    at com.sap.idm.ic.DSERunTime.runJob(DSERunTime.java:1264)
    at com.sap.idm.ic.DSERunTime.loopJob(DSERunTime.java:667)
    at com.sap.idm.ic.DSERunTime.doCommand(DSERunTime.java:1888)
    at com.sap.idm.ic.DSERunTime.doCommand(DSERunTime.java:333)
    at com.sap.idm.ic.DSERunTime.run(DSERunTime.java:3526)
    at com.sap.idm.ic.DSERunTime.main(DSERunTime.java:3449)Caused by: com.businessobjects.bcm.exception.FIPSError: Cryptographic library is not FIPS-140-compliant.
    at com.businessobjects.bcm.internal.BcmRsaLib.CheckStartupErrors(BcmRsaLib.java:28)
    at com.businessobjects.bcm.internal.DHKeyAgreeImpl.<init>(DHKeyAgreeImpl.java:22)
    at com.businessobjects.bcm.BCM.createKeyAgreement(BCM.java:1080)
    at com.crystaldecisions.sdk.occa.security.internal.ConfidentialChannelService.establishConfidentialChannel(ConfidentialChannelService.java:175)... 29 more

[boskamp]

Background

This results from a conflict between the Sybase JDBC driver on one hand and the SAP BusinessObjects SDK for Java on the other. Both components include different versions of the RSA cryptographic libraries for Java (cryptoj*.jar), which results in a conflict at runtime.

Depending on which order the JDBC driver JARs occur on the classpath relative to the order of the SAP BusinessObjects SDK for Java JARs, cryptograpy-related tasks of the SDK may cease to work, resulting in the above exception. A typical error message contained in the stack trace is:

Cryptographic library is not FIPS-140-compliant.

Solution

To solve this problem, you need to make sure that all the SDK JARs are listed before the JDBC driver JARs on the Java classpath defined by the SAP IDM dispatcher scripts.

• Stop the dispatchers
• Move JDBC JARs and SDK JARs into separate directories, e.g. "$DSE_HOME/jdbc-libs" and "$DSE_HOME/bobj-libs"
• In the dispatcher script(s) Service-Scripts/DispatcherService.sh edit variable MXDRIVERJAR. On Linux, you could use the following syntax:

  MXDRIVERJAR="${DSE_HOME}/bobj-libs/*:${DSE_HOME}/jdbc-libs/*"

• Restart the dispatchers

The critical point is that bobj-libs is listed first, and jdbc-libs only after that. The asterisk notation loads all JAR files in the given directory.

Alternatively, you could set the "Additional Driver JARs" property from dispatcherutil.sh gui, which will internally calculate MXDRIVERJAR for the dispatcher script. However, double-check that the value of MXDRIVERJAR is really what you expect after you have re-generated the scripts from dispatcherutil.sh.