Starting the MCI Workbench Service produces output that appears to be healthy:
> service dm-mettleci-workbench start Starting MettleCI Workbench ... MettleCI Workbench: Java Executable location /bin/java MettleCI Workbench: Java Vendor is Red MettleCI Workbench: Java Version is 1.8 MettleCI Workbench has been started |
But immediately checking the status of MCI Workbench shows that it failed to start:
> service dm-mettleci-workbench status /opt/dm/mci/METTLE_UI.pid dead but pidfile exists |
and the following Exception appears in the mci.log
:
java.lang.RuntimeException: Failed to initialize DATASTAGE_ASB authentication method, please verify configuration or change authentication method to DATASTAGE_COMPATIBILITY at com.datamigrators.mettle.modules.datastage.DatastageAsbModule.providerAsbServiceFactory(DatastageAsbModule.java:54) <...snip...> Caused by: java.lang.SecurityException: The IBMJCE provider may have been tampered. at com.ibm.crypto.provider.PBEWithMD5AndTripleDESCipher.<init>(Unknown Source) <...snip...> |
Both the DataStage Engine and MettleCI Workbench rely on a set of cryptographically signed java libraries known as IBMJCE
. Up until version 11.7.1.4 SP1, the IBMJCE
libraries packaged with DataStage where signed using the SHA-1 algorithm which is considered to be crypto-graphically weak by today’s standards..
Java OpenJDK version 1.8u362 introduced a change which disables SHA-1 Signed Java libraries. When MettleCI Workbench is using Open JDK 1.8u362 or later and attempts to load a SHA-1 Signed version of the IBMJCE
libraries, Java security settings block the loading of many required classes and the IBMJCE
libraries incorrectly reports that The IBMJCE provider may have been tampered
.
Please verify that MettleCI Workbench is version 1.0-1636 or earlier and is running on Java OpenJDK version 1.8u362 or later.
Login into the DataStage engine where MettleCI Workbench has been installed, run the following command and verify output confirms that the jar has been signed with a weak algorithm that is now disabled
:
> jarsigner -verify -certs /opt/IBM/InformationServer/jdk/jre/lib/ext/ibmjceprovider.jar The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled. Re-run jarsigner with the -verbose option for more details. |
This command assumes Java OpenJDK 1.8 is on the path and Information Server has been installed in /opt/IBM/InformationServer
.
MettleCI Workbench version 1.0-1637+ detects IBMJCE
library and OpenJDK security incompatibilities and will automatically adjust its runtime security settings as needed.
If you are unable to upgrade MettleCI Workbench to version 1.0-1637 or later, apply the following manual workaround:
Log into the DataStage Engine where MettleCI Workbench is installed
Open <OpenJDK Install Directory>/jre/lib/security/java.security
for editing
Find the jdk.certpath.disabledAlgorithms
property and remove the SHA1 usage SignedJAR & denyAfter 2019-01-01
entry (including any trailing ,
character)
Find the jdk.jar.disabledAlgorithms
property and remove the SHA denyAfter 2019-01-01
entry (including any trailing ,
character)
Save and restart MettleCI Workbench.
NOTE |
As an example, the following java.security
file:
<...SNIP...> # Example: # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 # jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \ RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \ SHA1 usage SignedJAR & denyAfter 2019-01-01, \ include jdk.disabled.namedCurves <...SNIP...> # implementation. It is not guaranteed to be examined and used by other # implementations. # # See "jdk.certpath.disabledAlgorithms" for syntax descriptions. # jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ DSA keySize < 1024, SHA1 denyAfter 2019-01-01, \ include jdk.disabled.namedCurves <...SNIP...> |
Should be modified to look like this:
<...SNIP...> # Example: # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 # jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \ RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \ include jdk.disabled.namedCurves <...SNIP...> # implementation. It is not guaranteed to be examined and used by other # implementations. # # See "jdk.certpath.disabledAlgorithms" for syntax descriptions. # jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ DSA keySize < 1024, \ include jdk.disabled.namedCurves <...SNIP...> |