This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.
LinkedIn
Copied!

Table of Contents

Troubleshooting: "Unable to use SHA1PRNG algorithm" when saviing DB Name (WebSphere 5.1)

Symptom

When you're adding a Data-Admin-DB-Name instance to a Process Commander system which runs on WebSphere 5.1, an error occurs upon validation (during save): 

Unable to use SHA1PRNG algorithm for SecureRandom. 

 

 

Solution

Explanation

V4.2 provides the optional ability to store passwords for the databases that it accesses in a separate encrypted file rather than in cleartext within the pegarules.xml file. This file is known as the PegaRULES keyring file, and its encryption is based on the industry-standard SHA1PRNG secure random number generator.

Different versions of WebSphere use different versions of the Java Virtual Machine (JVM):

  • WebSphere 5.02 uses JVM 1.3.1
  • WebSphere 5.1 uses JVM 1.4.1
  • WebSphere 5.1.1 uses JVM 1.4.2

There is a problem with the JVM implemented in WebSphere 5.1:

  • In JVM 1.3.1, IBM included the Sun cryptography implementation of SHA1PRNG. 
  • In JVM 1.4.1, IBM dropped the Sun cryptography implementation, and IBM’s replacement cryptography implementation did not provide the SHA1PRNG secure random number generator.
  • In JVM 1.4.2, IBM added support for the SHA1PRNG algorithm.

Because JVM 1.4.1 does not support the SHA1PRNG algorithm, PegaRULES’ keyring encryption setup will not work with WebSphere 5.1. 

Resolution

The easiest solution is to upgrade to WebSphere 5.1.1.  This is the most up-to-date patch level for WebSphere 5, and is recommended by Pegasystems and IBM.  This version uses JVM 1.4.2, which workswith the PegaRULES’ keyring file.

If a your organization wants to use WebSphere 5.1, obtain the Sun cryptographic implementation and add it to their list of cryptographic providers.

NOTE: Pegasystems recommends that when you use the encrypted keyring, that all of the application servers that use that encrypted file also use a JVM from the same vendor.  In other words, if you have six servers, they all should use either the Sun JVM or an IBM JVM.  Having some of the servers use Sun and others use IBM causes problems, as the two SHA1PRNG implementations aren’t fully compatible, and a password generated by one may not be readable by the other.

Did you find this content helpful?

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.