Skip to Content

The joy of JCE policy files

One of the things that kills time and nerves on a regular schedule is errors in enrcyption/decryption due to restricted JCE Policy files. Mostly because the error messages you get do not clearly state why something does not work. (Messages can range from “Unsupported keysize” to NullPointers depending on the application)

Because that seems to be a Java-Problem that only occurs when strong enryption is used it is quite uncommon and admins and users can’t tell whether the system they’re running has been supplied with unrestricted enryption policy files nor how they can check.

If you care to know what those files are: Java ships with JCE Policy files that come with the JVM. Those standard files allow to use cryptography up to a small encryption key size. If you are legally allowed you can go to the JVM-vendor site and get the unlimited strength jurisdiction policy files that will allow the use of unlimited sized keys. For SAP VM and the Sun 1.5 VM it’s at the bottom of the Sun download page.

SAP has added some additional fun by shipping half-restricted files in some 7.1 releases.

Checking the supported keysizes

If one encounters any issues that have a slight chance to be caused by encryption errors my procedure is to first switch to use unrestricted policy files. For checking which stength of encryption is supportd on the box I use a policy check tool that tries a simple blowfish encryption with varying key sizes and displays the results via the url http(s)://server:port/jce. Assuming you trust strangers from the internet you may download and deploy my checker. If all the entrys down to 16 Kilobit size are green you’re fine and can search the error  elsewhere.

Checking supported keysizes

Installing policy files

To install the policy files on a Sun-VM the two jars from the Sun download site need to be placed in the JVMs/JREs /lib/security-folder. After a fast reboot of the Java-Instance the new files are used. Note that SAP-JVM gets copied to multiple places at startup, so you’ll find multiple locations for the SAPVM-folder. If you are not sure which one to use it’s a sure shot to copy the files to all VM-Folders and delete the original ones. When keeping backups of the original files make sure those are not placed in the original directory.

You must be Logged on to comment or reply to a post.