JTAPIProperties.setSecurityPropertyForInstance - corrupted keystores

Ladislava Frckova — Tue, 21 Feb 2023 12:15:16 GMT

Hi,
I am trying to update our app for CUCM 14.0.1.12900-161 (SU2). We are not FIPS compliant, so according to developers guide only change in libraries on classpath is needed: https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/jtapi_dev/14_0_1/cucm_b_cisco-unified-jtapi-developers-guide-14/cucm_b_cisco-unified-jtapi-developers-guide-1251_chapter_010.html#CUCM_TP_F254F96C_00

Currently I use bc-fips, bcpkix-fips and bctls-fips instead of previous bcprov-jdk15on and bcpkix-jdk15on. I get some warnings, but I am able to download 3 files: CTLFile.tlv.sgn, JtapiServerKeyStore-* and JtapiClientKeyStore-*-*. The keystores seems corrupted.

The keystores has different type then before, it is BCFIPS now. When I try to list the certificates using BouncyCastleFipsProvider. I get:

java.io.IOException: BCFKS KeyStore corrupted: MAC calculation failed.

I use keytool for listing certificates:

keytool -list -v -keystore /path/to/certs/JtapiClientKeyStore-callrec-sec-callrecsec -storetype bcfks -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /path/to/libs/bc-fips-1.0.2.3.jar -providername BCFIPS

I am not sure, if the warnings during certificates download are relevant. But here they are:

Feb 21, 2023 1:10:56 PM org.bouncycastle.jsse.provider.PropertyUtils getStringSecurityProperty INFO: Found string security property [jdk.tls.disabledAlgorithms]: SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, include jdk.disabled.namedCurves Feb 21, 2023 1:10:56 PM org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints create WARNING: Ignoring unsupported entry in 'jdk.tls.disabledAlgorithms': include jdk.disabled.namedCurves Feb 21, 2023 1:10:56 PM org.bouncycastle.jsse.provider.PropertyUtils getStringSecurityProperty INFO: Found string security property [jdk.certpath.disabledAlgorithms]: MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, include jdk.disabled.namedCurves Feb 21, 2023 1:10:56 PM org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints create WARNING: Ignoring unsupported entry in 'jdk.certpath.disabledAlgorithms': SHA1 jdkCA & usage TLSServer Feb 21, 2023 1:10:56 PM org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints create WARNING: Ignoring unsupported entry in 'jdk.certpath.disabledAlgorithms': include jdk.disabled.namedCurves Feb 21, 2023 1:10:56 PM org.bouncycastle.jsse.provider.PropertyUtils getBooleanSecurityProperty INFO: Found boolean security property [keystore.type.compat]: true numberof certs=1certLength=937

Re: JTAPIProperties.setSecurityPropertyForInstance - corrupted keystor

Ladislava Frckova — Tue, 21 Feb 2023 16:05:53 GMT

Does anybody have similar problem? Or does anyone have any suggestion, how to solve this?

topic Re: JTAPIProperties.setSecurityPropertyForInstance - corrupted keystor in Call Control

JTAPIProperties.setSecurityPropertyForInstance - corrupted keystores

Re: JTAPIProperties.setSecurityPropertyForInstance - corrupted keystor