12

In java platform documentation http://www.oracle.com/technetwork/java/javase/jrereadme-182762.html. Regarding the comment about

/lib/security/local_policy.jar /lib/security/US_export_policy.jar

Unlimited Strength Java Cryptography Extension

Due to import control restrictions for some countries, the Java Cryptography Extension (JCE) policy files shipped with the Java SE Development Kit and the Java SE Runtime Environment allow strong but limited cryptography to be used.

An unlimited strength version of these files indicating no restrictions on cryptographic strengths is available on the JDK web site for those living in eligible countries. Those living in eligible countries may download the unlimited strength version and replace the strong cryptography jar files with the unlimited strength files. Questions

  1. Does every JDK bundle comes with local_policy.jar and US_export_policy.jar ?
  2. What is the limitation in default local_policy.jar and US_export_policy.jar. Is it the key size ?
  3. If I need to use 128 bit keys does it required to go for Unlimited Strength Java Cryptography
    Extension
  4. Is there a way I can keep these two jars in external path and load it. Because I have more 50 servers rather than coping in each JDK I would prefer to maintain it in a central place.
John Peterson
  • 135
  • 1
  • 2
  • 6

1 Answers1

17

Does every JDK bundle comes with local_policy.jar and US_export_policy.jar ?

yup. JCE has been integrated into the Java 2 SDK since the 1.4 release.

What is the limitation in default local_policy.jar and US_export_policy.jar. Is it the key size ?

Yes it is the key size. I thing more than 128 bit is not allowed. You can check the maximum size of the algorithm using int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");

If I need to use 128 bit keys does it required to go for Unlimited Strength Java Cryptography Extension

For 128 bit key encryption I dont think you need Unlimited Strength Java Cryptography Extension jars. Default ones should work just fine.

Is there a way I can keep these two jars in external path and load it. Because I have more 50 servers rather than coping in each JDK I would prefer to maintain it in a central place.

As mentioned above this scenario should not occur if you are using 128 bit key for encryption but if you are using more lengthy key (Eg 256) you will need to get unlimited strength jars and replace them in $JAVA_HOME/jre/lib/security. As it is in the JDK/JRE itself you cannot make it centralized not in case of distributed servers. You will need to replace it on each of your servers.

Refer oracles reference guide.

Also if you don't want to do this you can refer to following thread for alternatives -

How to avoid installing “Unlimited Strength” JCE policy files when deploying an application?

Reflection is user in the thread as a work around. Though I would not recommend it you can take a look at it.

I have summarized everything in a post. You can refer that too -

How to install Java Cryptography Extension (JCE) unlimited strength jurisdiction policy files

Community
  • 1
  • 1
Aniket Thakur
  • 66,731
  • 38
  • 279
  • 289