Skip to Content
Author's profile photo Former Member

B2B Adapters – Updating to JCE Unlimited Strength Jurisdiction Policy

The default JCE policy files supplied by SAP JVM contains only limited strength. So it will not support if the keys are generated with the size more than 128 bits. But the newly shipped components like PGP, OFTP and AS2 requires key sizes which are greater than 128
bits for better security. Especially PGP modules will not support keys with the size less than 1024 bits. So in order to support the same, the default limited JCE policies should be overridden with the unlimited strength. The following steps will be describes the steps to be followed in detail.

Step 1:

SAP ships only limited strength files. You have to download the unlimited stregnth files from the Java provider (Sun/Oracle). These policies depend on the JVM versions. So download the corresponding policy files based on the JVM version(7.11 uses JVM 5, 7.30 &
7.31 uses JVM 6)

01 url.png

02. download.png

You can download the files after accepting the license agreement.

Step 2:

Extract the following files from downloaded zip file.

03. jce files.png

Step 3:


Login to the Application Server and replace the above mentioned files in the following locations.

  1. <root>\usr\sap\<SID>\J<XX>\exe\sapjvm_6\jre\lib\security 
  2. <root>\usr\sap\<SID>\J<XX>\j2ee\JSPM\sapjvm\jre\lib\security
  3. <root>\usr\sap\<SID>\SYS\exe\jvm\NTAMD64\sapjvm_<Version>.<Patch>\sapjvm_<Version>\jre\lib\security

<SID> – System ID

J<XX> – Java Only Instance. If it is Dual Stack, it will D<XX> or DVEBMGS<XX>

<Version> – JVM Version. It could 5 or 6

<Patch> – JVM Patch

Example :


04. path 01.PNG


05. path 02.PNG


06. path 03.PNG


The above mentioned paths are from PI 7.31 which installed on windows OS. If multiple JVM patch is installed (like 6.1.030, 6.1.031 etc…), the files from all the patch (or) recent patch should be replaced. For other operating systems, the relevant paths can be substituted.

Step 4:

Just restart the engine for the JVM to be updated with the new policies.

In the upcoming posts, I will be writing about the possible issues might occur if JCE unlimited strength is not installed.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Dear Shiva,

            This is a great blog. And highlights the most important step in installing the SAP PI B2B addon product.


      Another insight we received lately that application of kernel patch to the J2EE engine wipes out the earlier applied unrestricted policy.


      Therefore an automated script that can apply the policy by a double click is of great use.

      It should contain all the variables , like the <root> , <sys_id> and so on...

      and also take a variable that contains the root of the downloaded policy files from oracle.

      once  the variables are maintained, a double click can apply the policy files.


      A restart of the Engine is required , though.

      Author's profile photo Vishnu Prasad K
      Vishnu Prasad K

      Hi Siva,


      This blog is very detailed and there is no way the user can miss any location.





      Author's profile photo Dimitri Sannen
      Dimitri Sannen

      Great blog!


      I had to do this to get my signed MDN message back to the initial sender, using the AS2 protocol.


      Kind regards,


      Author's profile photo Dario Jiang
      Dario Jiang

      Hi Siva,


      Thanks for sharing.


      and do you think the following error message is one possible issue you mentioned at the end of you blog?


      PGP Encryption Module: Could not extract private key (org.bouncycastle.openpgp.PGPException: Exception decrypting key)



      Author's profile photo Vishnu Prasad K
      Vishnu Prasad K

      Hi Dario Jiang,


      Yes, that particular error occurs when the JCE policy is not updated. You can refer this note no 1915999 to check if the JCE policy is updated or not.




      Author's profile photo Dario Jiang
      Dario Jiang


      Author's profile photo Former Member
      Former Member

      Dear Sivasubramaniam Arunachalam,


      Thanks for this blog.We recently resolved an inbound issue by this action.

      Author's profile photo Former Member
      Former Member

      Dear Siva,


        This is a great blog, i needed this for the OFTP Adapter to work.


        Really appreciate the pictorial inputs in the blog.


        Kind Regards,



      Author's profile photo Vikas Kumar Singh
      Vikas Kumar Singh

      Hi all,


      I just did this.. Restarted the server but still the following is the result


      I have SAP PO 7.4 SP08 installed. And PIB2BPGP04_2-20009372 installed


      Author's profile photo Former Member
      Former Member

      Hi Vikas,


      My scenario is to drag the file from NFS of ECC and drop the file to Intermediate server after encrypting it with Bank public key , from intermediate server the Bank configures schedulers and pick up the files to Bank server. PI needs to encrypt file using AES128 algorithm. When I launch the URL http://<host>:<port>/BC//VerifyJCE even I face same screen as above. Do I need to update the JAR files as above?




      Author's profile photo Vikas Kumar Singh
      Vikas Kumar Singh

      Hi Nithin,


      It is resolved for me. Just follow the above blogs. I missed to update the JCE files at one location. You must do it carefully at all the locations.


      If you have cluster installation with 2 nodes then do it for both the nodes.




      Author's profile photo Former Member
      Former Member

      Hi Vikas,


      Thanks for your reply.



      Author's profile photo Naveen Kumar Potla
      Naveen Kumar Potla

      Hello All,




      As per that we did all steps  and placed the files in below location and restarted system

      Refere -SAP NOTE:

      1810884 - How to find correct JDK or JVM directory to copy JCE Unlimited Strength Jurisdiction policy files


      but didnt help , getting the same issue .

      SAP NOTE:1240081 - Java Cryptography Extension (JCE) Jurisdiction Policy Files

      In SAP JVM shipments with higher versions than 6.1.105, 7.1.053, 8.1.034 and all SAP JVM >= 9, there exists a directory <JDK dir>/jre/lib/security/policy. In there you'll find 2 subdirectories named "limited" and "unlimited".                                                                                                                            By setting property "crypto.policy" in file <JDK dir>/jre/lib/security/ to the name of either of these subdirectories, you will activate the policy set contained in that directory.                   E.g. you can just uncomment the entry "crypto.policy=unlimited" to activate the unlimited policy.







      Naveen Potla