Java encoding/decoding error with KM200 binding although Java8 JCE is installed?

  • Platform information:
    • Hardware: Intel 64bit
    • OS: Debian in official openhab docker container: openhab/openhab
    • Java Runtime Environment: 1.8.0.144 (??? not sure)
    • openHAB version: 2.1
  • Issue of the topic: I successfully tested the KM200 binding with the wetware/openhab docker image that uses openJDK Java 1.8.0.45. As this image is not current and not maintained and has customized path for the openhab directories I want to switch to the official openhab/openhab docker image. But when I start this image and mount my config files to it it receive an error in the log that indicates that I am missing the Java8 unlimited JCE Policy support as explained in this thread:

openHAB Community: KM200 Binding with Buderus Add-ons Bindings

2017-10-30 22:54:07.169 [INFO ] [.binding.km200.internal.KM200Binding] - Update KM200 Binding configuration, it takes a minute....
2017-10-30 22:54:07.178 [INFO ] [.binding.km200.internal.KM200Binding] - Starting communication test..
2017-10-30 22:54:07.446 [INFO ] [.binding.km200.internal.KM200Binding] - Received data..
2017-10-30 22:54:07.460 [ERROR] [hab.binding.km200.internal.KM200Comm] - Exception on encoding: {}
java.security.InvalidKeyException: Illegal key size or default parameters
	at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1026)[:1.8.0_144]
	at javax.crypto.Cipher.implInit(Cipher.java:801)[:1.8.0_144]
	at javax.crypto.Cipher.chooseProvider(Cipher.java:864)[:1.8.0_144]
	at javax.crypto.Cipher.init(Cipher.java:1249)[:1.8.0_144]
	at javax.crypto.Cipher.init(Cipher.java:1186)[:1.8.0_144]
	at org.openhab.binding.km200.internal.KM200Comm.decodeMessage(KM200Comm.java:260)[183:org.openhab.binding.km200:1.10.0]
	at org.openhab.binding.km200.internal.KM200Binding.updated(KM200Binding.java:161)[183:org.openhab.binding.km200:1.10.0]
	at org.apache.felix.cm.impl.helper.ManagedServiceTracker.updated(ManagedServiceTracker.java:189)[3:org.apache.felix.configadmin:1.8.12]
	at org.apache.felix.cm.impl.helper.ManagedServiceTracker.updateService(ManagedServiceTracker.java:152)[3:org.apache.felix.configadmin:1.8.12]
	at org.apache.felix.cm.impl.helper.ManagedServiceTracker.provideConfiguration(ManagedServiceTracker.java:85)[3:org.apache.felix.configadmin:1.8.12]
	at org.apache.felix.cm.impl.ConfigurationManager$ManagedServiceUpdate.provide(ConfigurationManager.java:1461)[3:org.apache.felix.configadmin:1.8.12]
	at org.apache.felix.cm.impl.ConfigurationManager$ManagedServiceUpdate.run(ConfigurationManager.java:1417)[3:org.apache.felix.configadmin:1.8.12]
	at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:141)[3:org.apache.felix.configadmin:1.8.12]
	at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:109)[3:org.apache.felix.configadmin:1.8.12]
	at java.lang.Thread.run(Thread.java:748)[:1.8.0_144]
2017-10-30 22:54:07.466 [ERROR] [org.apache.felix.configadmin        ] - [org.osgi.service.cm.ManagedService, org.osgi.service.event.EventHandler, id=292, bundle=183/mvn:org.openhab.binding/org.openhab.binding.km200/1.10.0]: Unexpected problem updating configuration org.openhab.km200
java.lang.RuntimeException: Decoding of the KM200 message is not possible!
	at org.openhab.binding.km200.internal.KM200Binding.updated(KM200Binding.java:163)[183:org.openhab.binding.km200:1.10.0]
	at org.apache.felix.cm.impl.helper.ManagedServiceTracker.updated(ManagedServiceTracker.java:189)[3:org.apache.felix.configadmin:1.8.12]
	at org.apache.felix.cm.impl.helper.ManagedServiceTracker.updateService(ManagedServiceTracker.java:152)[3:org.apache.felix.configadmin:1.8.12]
	at org.apache.felix.cm.impl.helper.ManagedServiceTracker.provideConfiguration(ManagedServiceTracker.java:85)[3:org.apache.felix.configadmin:1.8.12]
	at org.apache.felix.cm.impl.ConfigurationManager$ManagedServiceUpdate.provide(ConfigurationManager.java:1461)[3:org.apache.felix.configadmin:1.8.12]
	at org.apache.felix.cm.impl.ConfigurationManager$ManagedServiceUpdate.run(ConfigurationManager.java:1417)[3:org.apache.felix.configadmin:1.8.12]
	at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:141)[3:org.apache.felix.configadmin:1.8.12]
	at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:109)[3:org.apache.felix.configadmin:1.8.12]
	at java.lang.Thread.run(Thread.java:748)[:1.8.0_144]

I did some research on the web and found that this error is most commonly related to the missing Java JCE extension. The solution is to download the package of the missing JCE jar files and copy them into the $JAVA_HOME/jre/lib/security folder. The two files are called local_policy.jar and US_export_policy.jar. I checked the files are available in my docker image:

root@openhab-openhab220:/usr/lib/java-8/jre/lib/security# ls -l   
total 236
-rw-rw-r-- 1 31450 31450   1273 Jul 26 14:24 blacklisted.certs
-rw-rw-r-- 1 31450 31450 186962 Jul 26 14:24 cacerts
-rw-rw-r-- 1 31450 31450   2466 Jul 26 14:24 java.policy
-rw-rw-r-- 1 31450 31450  34688 Jul 26 14:24 java.security
-rw-rw-r-- 1 31450 31450   1040 Jul 26 14:24 local_policy.jar
-rw-rw-r-- 1 31450 31450    620 Jul 26 14:24 US_export_policy.jar
root@openhab-openhab220:/usr/lib/java-8/jre/lib/security# 

Hence I am now lost what the solution of this problem can be if it is not the missing JCE?

Any support is appreciated how to debug this as this is a little tricky to solve in a docker environment

Thank you!
Justus

I found the solution on my own after a lot of trial an error …

The answer is “Don’t think - Do!” … Here is my solution path for Java8:
(I don’t think that there is still someone around with an older Java version, hence the solution is for Java8 only!!!)

  • Download the Java8 Crytpographic Extension files from Oracle:
    Oracle Java8 Cryptographic Extension Files

  • Then login to the running openhab container and tar the security directory located in my case under /usr/lib/java-8/jre/lib/. This might look different in your environment.

  • To find the path to the security folder you need to find out the location where Java is installed. Either check the $JAVA_HOME environment variable # echo $JAVA_HOME or find out where your java binary is located:

    • Find out where java is in your PATH: # which java … should be /usr/bin/java which is a link and not the binary!!!
    • There are several links until you reach the real binary. Hence follow the links:
      # ls -l /usr/bin/java … should be something like java -> /etc/alternatives/java
    • Continue this until you have found the real binary.
    • The path should be either /usr/lib/java-8/jre/bin/
      or something like /usr/lib/jvm/java-8-openjdk/bin/
    • Your JAVA_HOME is the detected path but without /bin/at the end.
    • The security folder is then located in either /usr/lib/java-8/jre/lib/
      or in /usr/lib/jvm/java-8-openjdk/lib/
    • Now enter this path and tar the security folder with # tar -cvf security_folder.tar security
  • As I have the openhab conf directory mounted from the outside into the container for my personal configuration files, I could get the security_folder.tar file off the docker container by copying it to the conf directory.

  • Now being outside the openHAB docker container extract the security_folder.tar file at a location of your convenience.

  • Extract the downloaded JCE files and copy the two JAR files (local_policy.jar and US_export_policy.jar) into the new security folder. You may overwrite existing versions of these two files. Be sure that you use the ones you have downloaded !!!

  • Now you have the extracted security folder from the docker container and you have it patched with the downloaded JCE JAR files!

  • The next step is to create another external volume mount (most likely in addition to a volume mount for your personal conf directory) for mounting an external directory into the docker container.
    It depends on your docker environment how you accomplish that. As I am doing it on my Synology NAS I configure that in the Docker UI. If you have a docker start-up script you would want to add the following mount option to your " docker run " command:
    "-v /path_to_security_folder/security:/usr/lib/java-8/jre/lib/security"

  • With the last step you will “overmount” at the start of your docker container the java security folder in the container with your external customized security folder including the patched JCE JAR files. And the Java inside the container will use these files instead of the original ones that come with the container.

After this the error does not occur in my openhab.log anymore and I can receive and push data correctly from/to the KM200 gateway!!!

In case you experience this problem in a “normal” - Non-Docker - openHAB installation you just simply need to replace the existing two JAR files (local_policy.jar and US_export_policy.jar) in your local Java security folder with the ones from the downloaded JCE zip file. Better keep a copy of the old ones :wink: .

I hope I did not miss anything. Otherwise please contact me!

Cheers
Justus