Unlimited java cryptography extensions

Installing JCE With an Unlimited Strength Jurisdiction Policy

Join the DZone community and get the full member experience.

In this article, I’d like to describe how to over come the «org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size or default parameters» or «java.security.InvalidKeyException:illegal Key Size» error message when invoking secured services

These «org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size or default parameters» or «java.security.InvalidKeyException:illegal Key Size» error messages usually occur when we try to invoke web services in a secured manner and your JVM is not provisioned for Java unlimited security jurisdiction.

To provision for the Java unlimited security jurisdiction we have to install Java Cryptography Extension (JCE) unlimited strength jurisdiction policy files.

1. Go to the Oracle Java SE download page.
2. Scroll down . Under «Additional Resources» section you will find «Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File.»
3. Download the version that matches your installed JVM for example UnlimitedJCEPolicyJDK7.zip
4. Unzip the downloaded zip.
5. Copy local_policy.jar and US_export_policy.jar to the $JAVA_HOME/jre/lib/security (Note: these jars will be already there so you have to overwrite them).
6. Then restart your application to get rid of this exception.

1. Go to the Oracle Java SE download page.
2. Scroll down . Under «Additional Resources» section you will find «Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File.»
3. Download the version that matches your installed JVM, for example, UnlimitedJCEPolicyJDK7.zip.
4. Unzip the downloaded zip.
5. Copy local_policy.jar and US_export_policy.jar to the $JAVA_HOME/jre/lib/security (Note: these jars will be already there so you have to overwrite them).

Источник

Unlimited java cryptography extensions

Thank you for downloading the Unlimited Strength Java(TM) Cryptography Extension (JCE) Policy Files for the Java(TM) Platform, Standard Edition (Java SE) Runtime Environment 8.

Due to import control restrictions of some countries, the version of the JCE policy files that are bundled in the Java Runtime Environment, or JRE(TM), 8 environment allow «strong» but limited cryptography to be used. This download bundle (the one including this README file) provides «unlimited strength» policy files which contain no restrictions on cryptographic strengths.

Please note that this download file does NOT contain any encryption functionality as all such functionality is contained within Oracle’s JRE 8. This bundles assumes that the JRE 8 has already been installed.

This download bundle is part of the Java SE Platform products and is governed by same License and Terms notices. These notices can be found on the Java SE download site:

JCE for Java SE 8 has been through the U.S. export review process. The JCE framework, along with the various JCE providers that come standard with it (SunJCE, SunEC, SunPKCS11, SunMSCAPI, etc), is exportable.

The JCE architecture allows flexible cryptographic strength to be configured via jurisdiction policy files. Due to the import restrictions of some countries, the jurisdiction policy files distributed with the Java SE 8 software have built-in restrictions on available cryptographic strength. The jurisdiction policy files in this download bundle (the bundle including this README file) contain no restrictions on cryptographic strengths. This is appropriate for most countries. Framework vendors can create download bundles that include jurisdiction policy files that specify cryptographic restrictions appropriate for countries whose governments mandate restrictions. Users in those countries can download an appropriate bundle, and the JCE framework will enforce the specified restrictions.

You are advised to consult your export/import control counsel or attorney to determine the exact requirements.

The following documents may be of interest to you:

o The Java(TM) Cryptography Architecture (JCA) Reference Guide at:

The Java SE Security web site has more information about JCE,

plus additional information about the Java SE Security Model.

o Unix (Solaris/Linux/Mac OS X) and Windows use different pathname separators, so please use the appropriate one («\», «/») for your environment.

o (below) refers to the directory where the JRE was installed. It is determined based on whether you are running JCE on a JRE or a JRE contained within the Java Development Kit, or JDK(TM). The JDK contains the JRE, but at a different level in the file hierarchy. For example, if the JDK is installed in /home/user1/jdk1.8.0 on Unix or in C:\jdk1.8.0 on Windows, then is:

 /home/user1/jdk1.8.0/jre [Unix] C:\jdk1.8.0\jre [Windows] 

If on the other hand the JRE is installed in /home/user1/jre1.8.0 on Unix or in C:\jre1.8.0 on Windows, and the JDK is not installed, then is:

 /home/user1/jre1.8.0 [Unix] C:\jre1.8.0 [Windows] 

o On Windows, for each JDK installation, there may be additional JREs installed under the «Program Files» directory. Please make sure that you install the unlimited strength policy JAR files for all JREs that you plan to use.

Here are the installation instructions:

1) Download the unlimited strength JCE policy files.

2) Uncompress and extract the downloaded file.

This will create a subdirectory called jce.

This directory contains the following files:

 README.txt This file local_policy.jar Unlimited strength local policy file US_export_policy.jar Unlimited strength US export policy file 

3) Install the unlimited strength policy JAR files.

In case you later decide to revert to the original «strong» but limited policy versions, first make a copy of the original JCE policy files (US_export_policy.jar and local_policy.jar). Then replace the strong policy files with the unlimited strength versions extracted in the previous step.

The standard place for JCE jurisdiction policy JAR files is:

 /lib/security [Unix] \lib\security [Windows] 

For miscellaneous questions about JCE usage and deployment, we encourage you to read:

o Information on the Java SE Security web site

o The Oracle Online Community Forums, specifically the Java

Cryptography forum. The forums allow you to tap into the

experience of other users, ask questions, or offer tips to others

on a variety of Java-related topics, including JCE. There is no

Источник

Enabling JCE Unlimited

To enable JCE Unlimited, use the crypto.policy Security property introduced in JDK 8u151.

DataStax recommends enabling Java Cryptography Extension (JCE) Unlimited to ensure support for all encryption algorithms, especially AES-256 for Kerberos and SSL when using Oracle Java.

Prior to JDK 1.8.0_151 (8u151), you had to download and install the JCE jurisdiction policy files separately. Those steps are unnecessary in 8u151 and later JDK releases. To enable JCE Unlimited use the crypto.policy Security property introduced in JDK 8u151, as noted in the New Features section of the Oracle JDK 1.8.0_151 Release Notes.

The location of the cassandra.yaml file depends on the type of installation:

Package installations
Installer-Services installations

Tarball installations
Installer-No Services installations

Enabling JCE Unlimited Cryptography

To enable JCE Unlimited Cryptography in environments with JDK 8u151 or later, set the following Security property in the java.security file:

When set in java.security , or when declared dynamically using the Security.setProperty() call before the JCE framework has been initialized, the unlimited setting is used by the JDK.

Starting in JDK 8u161, JCE Unlimited is enabled by default. Refer to the Release Notes for JDK 8u161.

Some of the cipher suites in the default set of server_encryption_options in cassandra.yaml are included only in the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.

By default Kerberos uses the AES-256 cipher. DataStax recommends using AES-256 encryption. OpenJDK includes AES-256. However, Oracle Java does not include the AES-256 cipher due to export restrictions to certain countries. To use AES-256 with Oracle Java, install the JCE Unlimited Strength Jurisdiction Policy Files.

If your environment uses a JDK version prior to 8u151, which released in October 2017, refer to the download and install steps in the following sections.

Installing JCE Unlimited for pre-8u151 JDK environments on RHEL-based systems

If your JDK on RHEL-based systems must use a pre-8u151 JDK:

1. Install the JCE using the Oracle JAR:
   1. Download the Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Oracle Java SE download page under Additional Resources.
   2. Unzip the downloaded file.
   3. Copy local_policy.jar and US_export_policy.jar to the $JAVA_HOME/jre/lib/security directory to overwrite the existing JARS.
   4. Check permissions of installed files so they are readable by all users.

   Installing JCE Unlimited for pre-8u151 JDK environments on Debian-based systems

   If your JDK on Debian-based systems must use a pre-8u151 JDK:

   sudo apt-get install oracle-java8-unlimited-jce-policy

   sudo add-apt-repository ppa:webupd8team/java

   Источник

   Enabling JCE Unlimited

   To enable JCE Unlimited, use the crypto.policy Security property introduced in JDK 8u151.

   DataStax recommends enabling Java Cryptography Extension (JCE) Unlimited to ensure support for all encryption algorithms, especially AES-256 for Kerberos and SSL when using Oracle Java.

   Prior to JDK 1.8.0_151 (8u151), you had to download and install the JCE jurisdiction policy files separately. Those steps are unnecessary in 8u151 and later JDK releases. To enable JCE Unlimited use the crypto.policy Security property introduced in JDK 8u151, as noted in the New Features section of the Oracle JDK 1.8.0_151 Release Notes.

   The location of the cassandra.yaml file depends on the type of installation:

   Package installations	/etc/dse/cassandra/cassandra.yaml
   Tarball installations	installation_location /resources/cassandra/conf/cassandra.yaml

   Enabling JCE Unlimited Cryptography

   To enable JCE Unlimited Cryptography in environments with JDK 8u151 or later, set the following Security property in the java.security file:

   When set in java.security , or when declared dynamically using the Security.setProperty() call before the JCE framework has been initialized, the unlimited setting is used by the JDK.

   Note: Starting in JDK 8u161, JCE Unlimited is enabled by default. Refer to the Release Notes for JDK 8u161.

   Some of the cipher suites in the default set of server_encryption_options in cassandra.yaml are included only in the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.

   By default Kerberos uses the AES-256 cipher. DataStax recommends using AES-256 encryption. OpenJDK includes AES-256. However, Oracle Java does not include the AES-256 cipher due to export restrictions to certain countries. To use AES-256 with Oracle Java, install the JCE Unlimited Strength Jurisdiction Policy Files.

   If your environment uses a JDK version prior to 8u151, which released in October 2017, refer to the download and install steps in the following sections.

   Installing JCE Unlimited for pre-8u151 JDK environments on RHEL-based systems

   If your JDK on RHEL-based systems must use a pre-8u151 JDK:

   1. Install the JCE using the Oracle JAR:
      1. Download the Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Oracle Java SE download page under Additional Resources.
      2. Unzip the downloaded file.
      3. Copy local_policy.jar and US_export_policy.jar to the $JAVA_HOME/jre/lib/security directory to overwrite the existing JARS.
      4. Check permissions of installed files so they are readable by all users.

      Installing JCE Unlimited for pre-8u151 JDK environments on Debian-based systems

      If your JDK on Debian-based systems must use a pre-8u151 JDK:

      sudo apt-get install oracle-java8-unlimited-jce-policy

      sudo add-apt-repository ppa:webupd8team/java

      Источник