Skip to Content

The default JCE policy files supplied by SAP JVM contains only limited strength. So it will not support if the keys are generated with the size more than 128 bits. But the newly shipped components like PGP, OFTP and AS2 requires key sizes which are greater than 128
bits for better security. Especially PGP modules will not support keys with the size less than 1024 bits. So in order to support the same, the default limited JCE policies should be overridden with the unlimited strength. The following steps will be describes the steps to be followed in detail.

Step 1:

SAP ships only limited strength files. You have to download the unlimited stregnth files from the Java provider (Sun/Oracle). These policies depend on the JVM versions. So download the corresponding policy files based on the JVM version(7.11 uses JVM 5, 7.30 &
7.31 uses JVM 6)

 

http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-java-plat-419418.html

01 url.png

02. download.png

You can download the files after accepting the license agreement.

Step 2:

Extract the following files from downloaded zip file.

03. jce files.png

Step 3:

 

Login to the Application Server and replace the above mentioned files in the following locations.

  1. <root>\usr\sap\<SID>\J<XX>\exe\sapjvm_6\jre\lib\security 
  2. <root>\usr\sap\<SID>\J<XX>\j2ee\JSPM\sapjvm\jre\lib\security
  3. <root>\usr\sap\<SID>\SYS\exe\jvm\NTAMD64\sapjvm_<Version>.<Patch>\sapjvm_<Version>\jre\lib\security

<SID> – System ID

J<XX> – Java Only Instance. If it is Dual Stack, it will D<XX> or DVEBMGS<XX>

<Version> – JVM Version. It could 5 or 6

<Patch> – JVM Patch

Example :

D:\usr\sap\B2B\J00\exe\sapjvm_6\jre\lib\security

04. path 01.PNG

D:\usr\sap\B2B\J00\j2ee\JSPM\sapjvm\jre\lib\security

05. path 02.PNG

D:\usr\sap\B2B\SYS\exe\jvm\NTAMD64\sapjvm_6.1.031\sapjvm_6\jre\lib\security

06. path 03.PNG

 

The above mentioned paths are from PI 7.31 which installed on windows OS. If multiple JVM patch is installed (like 6.1.030, 6.1.031 etc…), the files from all the patch (or) recent patch should be replaced. For other operating systems, the relevant paths can be substituted.

Step 4:

Just restart the engine for the JVM to be updated with the new policies.

In the upcoming posts, I will be writing about the possible issues might occur if JCE unlimited strength is not installed.

To report this post you need to login first.

12 Comments

You must be Logged on to comment or reply to a post.

  1. Bhagyesh Hede

    Dear Shiva,

          This is a great blog. And highlights the most important step in installing the SAP PI B2B addon product.

     

    Another insight we received lately that application of kernel patch to the J2EE engine wipes out the earlier applied unrestricted policy.

     

    Therefore an automated script that can apply the policy by a double click is of great use.

    It should contain all the variables , like the <root> , <sys_id> and so on…

    and also take a variable that contains the root of the downloaded policy files from oracle.

    once  the variables are maintained, a double click can apply the policy files.

     

    A restart of the Engine is required , though.

    (0) 
    1. Dimitri Sannen

      Great blog!

       

      I had to do this to get my signed MDN message back to the initial sender, using the AS2 protocol.

       

      Kind regards,

      Dimitri

      (0) 
  2. Dario Jiang

    Hi Siva,

     

    Thanks for sharing.

     

    and do you think the following error message is one possible issue you mentioned at the end of you blog?

     

    PGP Encryption Module: Could not extract private key (org.bouncycastle.openpgp.PGPException: Exception decrypting key)

     

    Regards.

    (0) 
  3. BAKAU ONAFUWA

    Dear Siva,

     

      This is a great blog, i needed this for the OFTP Adapter to work.

     

      Really appreciate the pictorial inputs in the blog.

     

      Kind Regards,

     

    Bakau

    (0) 
    1. Nithin M

      Hi Vikas,

       

      My scenario is to drag the file from NFS of ECC and drop the file to Intermediate server after encrypting it with Bank public key , from intermediate server the Bank configures schedulers and pick up the files to Bank server. PI needs to encrypt file using AES128 algorithm. When I launch the URL http://<host>:<port>/BC//VerifyJCE even I face same screen as above. Do I need to update the JAR files as above?

       

      Thanks,

      Nithin.

      (0) 
      1. Vikas Kumar Singh

        Hi Nithin,

         

        It is resolved for me. Just follow the above blogs. I missed to update the JCE files at one location. You must do it carefully at all the locations.

         

        If you have cluster installation with 2 nodes then do it for both the nodes.

         

        Regards,

        Vikas

        (0) 

Leave a Reply