When executing Java code on the Domino server to connect to an SSL/TLS site, you may encounter errors, such as
javax.net.ssl.SSLKeyException: RSA premaster secret error java.security.InvalidKeyException: Illegal key size or default parameters
The problem is that the IBM Domino server (at least up to 9.0.1 FP3) ships with default Java policies which prevents SSL/TLS connections using certificates with RSA higher than 2048 bits.
The solution is simple:
- Download the two unrestricted JCE policy files „local_policy.jar“ and „US_export_policy.jar“ from https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=jcesdk&lang=en_US
- Replace the original files in /Path-To-Domino-Executable/jvm/lib/security with the downloaded files
- Activate these new policies by restarting the HTTP’s JVM
Tell HTTP Quit Load HTTP