IBM webMethods Hybrid Integration

 View Only

 Not able to call pub.security:encrypt or pub.security:decrypt successfully for PGP encryption

Mei Yeoh's profile image
Mei Yeoh posted Tue November 11, 2025 10:31 AM

Is anyone able to successfully call pub.security:encrypt or pub.security:decrypt successfully for PGP encryption?

I am using webMethods 10.15, with the latest set of fixes as of 11/07/2025, and I'm running into different errors, such as: 

java.lang.reflect.InvocationTargetException: org/bouncycastle/openpgp/operator/bc/BcPublicKeyKeyEncryptionMethodGenerator
 
Full value: java.lang.ClassNotFoundException: org.bouncycastle.openpgp.operator.bc.BcPublicKeyKeyEncryptionMethodGenerator
at com.wm.app.b2b.server.ServerClassLoader.findClass(ServerClassLoader.java:818)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:592)
2025-11-05 17:17:21 EST [ISS.0095.0042I] (tid=1904) The ERRSTACKTRACE field in a WMERROR audit record was truncated. CONTEXTID: 3ce6e20d-b626-41dc-8a8f-d44ad32912cb. MSGID: f177214d-f2e2-c8c4-6ef9-72a3be9cf057. Full value: java.security.NoSuchProviderException: No such provider: BC
at java.base/javax.crypto.Cipher.getInstance(Cipher.java:639)
at org.bouncycastle.jcajce.util.NamedJcaJceHelper.createCipher(NamedJcaJceHelper.java:47)
at org.bouncycastle.openpgp.operator.jcajce.OperatorHelper.createCipher(Unknown Source)
at org.bouncycastle.openpgp.operator.jcajce.OperatorHelper.createStreamCipher(Unknown Source)
at org.bouncycastle.openpgp.operator.jcajce.JcePGPDataEncryptorBuilder$MyPGPDataEncryptor.<init>(Unknown Source)
at org.bouncycastle.openpgp.operator.jcajce.JcePGPDataEncryptorBuilder.build(Unknown Source)
at org.bouncycastle.openpgp.PGPEncryptedDataGenerator.open(Unknown Source)
at org.bouncycastle.openpgp.PGPEncryptedDataGenerator.open(Unknown Source)
at pub.security.PGPCryptography.encrypt(PGPCryptography.java:105)
at pub.securityimpl.encrypt(securityimpl.java:323)
Is there a proper set of BC and webM libraries and version, plus any configuration eg. java.security, that would get these two services to work?
I have tried both in FIPS and non FIPS mode as well.
Thank you! 
Mei See.
Selim Calik's profile image
Selim Calik posted Wed November 12, 2025 01:58 PM

webMethods 10.15 includes Bouncy Castle libraries, but they are either incomplete, outdated, or not properly exposed to the classloader that the pub.security services use. The provided errors indicate missing classes and an unregistered security provider.

Solution

Follow these steps in order. A full Integration Server restart is required after completing the steps.

Step 1: Add the Correct Bouncy Castle JARs

You must manually add the correct versions of the Bouncy Castle JARs to the server's library path.

  1. Download the Bouncy Castle "JDK 15+" JARs from the official repository: https://www.bouncycastle.org/latest_releases.html

  2. You will need these three JAR files:

    • bcpg-jdk15on-1.68.jar

    • bcprov-jdk15on-1.68.jar

    • bcpkix-jdk15on-1.68.jar

    Version 1.68 is recommended for webMethods 10.15. Newer versions may introduce compatibility issues.

  3. Copy these JAR files into your Integration Server's lib/jars directory (e.g., SoftwareAG/IntegrationServer/instances/default/lib/jars).

  4. Ensure there are no duplicate or older versions of these JARs in any other classpath location, such as your package's code/jars folder, as this will cause conflicts.

Step 2: Configure the Java Security Policy

The BC security provider must be explicitly registered in the Java security policy file.

  1. Locate the java.security file for your Integration Server instance. It is typically found in: SoftwareAG/IntegrationServer/instances/default/config/java.security

  2. Open the file in a text editor.

  3. Find the list of security providers, which starts with security.provider.1=....

  4. Add the Bouncy Castle provider to the list. You will need to renumber the subsequent providers. The goal is to have a line like this (usually added around position 3):

    properties
    security.provider.1=com.softwareag.psec.provider.SagProvider
security.provider.2=sun.security.provider.Sun
security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.rsa.SunRsaSign
# ... and so on

    If the SagProvider is already in position 1, leave it there and add the BC provider after it.

Step 3: Ensure Non-FIPS Mode for Initial Testing

While you have tried both modes, the NoSuchProviderException: BC is a strong indicator of a FIPS-mode conflict. The standard BC JARs are not FIPS-compliant. For initial testing and to confirm the solution, ensure the server is running in non-FIPS mode.

  1. Check the server's startup parameters in the server.cnf file or your startup script.

  2. Ensure the following JVM argument is either not present or is set to false:

    ini
    -Dcom.softwareag.jce.fips=false

  3. If you must run in FIPS mode, you will need to obtain and configure the special FIPS-certified Bouncy Castle libraries, which is a more complex process and likely requires assistance from SoftwareAG support.

Step 4: Restart and Test the Service

  1. Perform a full shutdown and then a cold start of the Integration Server. This is critical for the new JARs and security configuration to be loaded.

  2. Once the server is fully started, test the pub.security:encrypt service directly from the webMethods Admin UI (Service -> Execute Service).

  3. Use a simple test case:

    • encryptionKey: Path to a valid PGP public key file (e.g., pubKey.asc).

    • inputData: A simple string like "Hello, World!".

    • armorEncodingtrue

    • withIntegrityChecktrue

Expected Result

If the configuration is correct, the service will execute without throwing an exception. The outputData pipeline variable will contain a valid PGP-encrypted block, starting with:

text
-----BEGIN PGP MESSAGE-----

If the Problem Persists

If you continue to see the same errors after these steps, the issue is almost certainly a classloader conflict or a residual configuration problem.

  1. Double-check for JAR conflicts. Search your entire installed directory for any other versions of bcprov-*.jarbcpg-*.jar, or bcpkix-*.jar and remove them, keeping only the 1.68 versions in the lib/jars directory.

  2. Contact Support. Provide them with the exact errors and the steps you have already taken. There may be a specific patch or known issue (e.g., a bug report like WM-XXXXX) for your exact fix level of webMethods 10.15 that requires a patch from them.

Jaideep Pegu's profile image
Jaideep Pegu posted Fri November 14, 2025 02:38 AM

Hi , can you please share the FIX details from the IS About Page? Ideally user should not do anything with jars in both FIPS /NON-FIPS mode, everything should work. IS takes care of bringing all the relevant jars based on (watt.security.fips.mode=true/false). Thanks.

Jaideep Pegu's profile image
Jaideep Pegu posted Fri November 14, 2025 02:44 AM

java.security.NoSuchProviderException: No such provider: BC >>  Can you also please check the IS About Page and see if BC is listed in the "Security Providers" section.

Mei Yeoh's profile image
Mei Yeoh posted Tue November 18, 2025 09:38 AM

Thank you @Selim Calik for your detailed response and confirm the specific version of BouncyCastle jars/pairs that are needed.  I will try it out and verify if it works.  The goal is to make use FIPS related ciphers, and once I have at it at least working in non-FIPS environment, to see what it will take to work with FIPS.  I will post the solution here if I do find it.    

@Jaideep Pegu I have tried in both FIPS and non-FIPS mode ( (watt.security.fips.mode=true/false).  After setting fips mode to true, BCFIPS 1.000205 is the 17th security provider in the list in the About page.  I have IS_10.15_Core_Fix22 and IS_10.15_SPM_Fix2 installed.  Thank you for your response as well.