JceSecurityManager is configured to use the restricted strength crypto

Issue

The instance is facing performance issues and in the slow-requests it can be observed the following thread

Username: user1
Referer: http://localhost:8080/job/JOB1/configure
...
URL: http://localhost:8080/job/JOB1/descriptorByName/org.jfrog.hudson.maven3.ArtifactoryMaven3Configurator/fillCredentialsIdItems
Locale: en_US
...
"Handling POST /job/JOB1/descriptorByName/org.jfrog.hudson.generic.ArtifactoryGenericConfigurator/fillCredentialsIdItems from 10.249.50.45 : RequestHandlerThread[#1465]" Id=2360516 RUNNABLE
	at java.lang.SecurityManager.getClassContext(Native Method)
	at javax.crypto.JceSecurityManager.getCryptoPermission(JceSecurityManager.java:102)
	at javax.crypto.Cipher.getConfiguredPermission(Cipher.java:2587)
	at javax.crypto.Cipher.initCryptoPermission(Cipher.java:700)
	at javax.crypto.Cipher.chooseProvider(Cipher.java:863)
	at javax.crypto.Cipher.init(Cipher.java:1396)
	at javax.crypto.Cipher.init(Cipher.java:1327)
	at jenkins.security.CryptoConfidentialKey.encrypt(CryptoConfidentialKey.java:81)
	...

Environment

Resolution

The cause of this issue could be that the instance is configured to use the restricted strength (export) crypto via the JceSecurityManager, so the lookup seems to take a long time. Using the unlimited strength crypto policy set, it won’t perform this (slow) check so it should solve the issue.

Unlimited strength crypto was set as the default in Java 8u161, so, if your Java version is lower than this one, updating to this version or later should also fix the issue.

If you already has Java 8u161 or higher installed, a way to know if you have set unlimited or restricted strength is executing this line in the script console located in Manage Jenkins -> Script Console:

javax.crypto.Cipher.getMaxAllowedKeyLength("AES") >= 256

If it returns false, it means that restricted strength is set. Unless you want to set the restricted strength on purpose for any reason, we recommend changing it to unlimited. You can do this by adding “crypto.policy=unlimited” in jre/lib/security/java.security.

In case the script returns true, please, open a ticket to Service Support so one of our support engineers can review the slow request.

Have more questions?

0 Comments

Please sign in to leave a comment.