Skip to Content

B2B Adapters – Updating to JCE Unlimited Strength Jurisdiction Policy

The default JCE policy files supplied by SAP JVM contains only limited strength. So it will not support if the keys are generated with the size more than 128 bits. But the newly shipped components like PGP, OFTP and AS2 requires key sizes which are greater than 128
bits for better security. Especially PGP modules will not support keys with the size less than 1024 bits. So in order to support the same, the default limited JCE policies should be overridden with the unlimited strength. The following steps will be describes the steps to be followed in detail.

Step 1:

SAP ships only limited strength files. You have to download the unlimited stregnth files from the Java provider (Sun/Oracle). These policies depend on the JVM versions. So download the corresponding policy files based on the JVM version(7.11 uses JVM 5, 7.30 &
7.31 uses JVM 6)

 

http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-java-plat-419418.html

01 url.png

02. download.png

You can download the files after accepting the license agreement.

Step 2:

Extract the following files from downloaded zip file.

03. jce files.png

Step 3:

 

Login to the Application Server and replace the above mentioned files in the following locations.

  1. <root>\usr\sap\<SID>\J<XX>\exe\sapjvm_6\jre\lib\security 
  2. <root>\usr\sap\<SID>\J<XX>\j2ee\JSPM\sapjvm\jre\lib\security
  3. <root>\usr\sap\<SID>\SYS\exe\jvm\NTAMD64\sapjvm_<Version>.<Patch>\sapjvm_<Version>\jre\lib\security

<SID> – System ID

J<XX> – Java Only Instance. If it is Dual Stack, it will D<XX> or DVEBMGS<XX>

<Version> – JVM Version. It could 5 or 6

<Patch> – JVM Patch

Example :

D:\usr\sap\B2B\J00\exe\sapjvm_6\jre\lib\security

04. path 01.PNG

D:\usr\sap\B2B\J00\j2ee\JSPM\sapjvm\jre\lib\security

05. path 02.PNG

D:\usr\sap\B2B\SYS\exe\jvm\NTAMD64\sapjvm_6.1.031\sapjvm_6\jre\lib\security

06. path 03.PNG

 

The above mentioned paths are from PI 7.31 which installed on windows OS. If multiple JVM patch is installed (like 6.1.030, 6.1.031 etc…), the files from all the patch (or) recent patch should be replaced. For other operating systems, the relevant paths can be substituted.

Step 4:

Just restart the engine for the JVM to be updated with the new policies.

In the upcoming posts, I will be writing about the possible issues might occur if JCE unlimited strength is not installed.

13 Comments
You must be Logged on to comment or reply to a post.
  • Dear Shiva,

          This is a great blog. And highlights the most important step in installing the SAP PI B2B addon product.

     

    Another insight we received lately that application of kernel patch to the J2EE engine wipes out the earlier applied unrestricted policy.

     

    Therefore an automated script that can apply the policy by a double click is of great use.

    It should contain all the variables , like the <root> , <sys_id> and so on…

    and also take a variable that contains the root of the downloaded policy files from oracle.

    once  the variables are maintained, a double click can apply the policy files.

     

    A restart of the Engine is required , though.

  • Hi Siva,

     

    Thanks for sharing.

     

    and do you think the following error message is one possible issue you mentioned at the end of you blog?

     

    PGP Encryption Module: Could not extract private key (org.bouncycastle.openpgp.PGPException: Exception decrypting key)

     

    Regards.

  • Dear Siva,

     

      This is a great blog, i needed this for the OFTP Adapter to work.

     

      Really appreciate the pictorial inputs in the blog.

     

      Kind Regards,

     

    Bakau

    • Hi Vikas,

       

      My scenario is to drag the file from NFS of ECC and drop the file to Intermediate server after encrypting it with Bank public key , from intermediate server the Bank configures schedulers and pick up the files to Bank server. PI needs to encrypt file using AES128 algorithm. When I launch the URL http://<host>:<port>/BC//VerifyJCE even I face same screen as above. Do I need to update the JAR files as above?

       

      Thanks,

      Nithin.

  • Hello All,

     

    Greetings!

     

    As per that we did all steps  and placed the files in below location and restarted system

    Refere -SAP NOTE:

    1810884 – How to find correct JDK or JVM directory to copy JCE Unlimited Strength Jurisdiction policy files

    /sapmnt/SID/exe/jvm/linuxx86_64/sapjvm_8.1.045/sapjvm_8/jre/lib/security
    /usr/sap/SID/J02/exe/sapjvm_8/jre/lib/security

    but didnt help , getting the same issue .

    SAP NOTE:1240081 – Java Cryptography Extension (JCE) Jurisdiction Policy Files

    In SAP JVM shipments with higher versions than 6.1.105, 7.1.053, 8.1.034 and all SAP JVM >= 9, there exists a directory <JDK dir>/jre/lib/security/policy. In there you’ll find 2 subdirectories named “limited” and “unlimited”.                                                                                                                            By setting property “crypto.policy” in file <JDK dir>/jre/lib/security/java.security to the name of either of these subdirectories, you will activate the policy set contained in that directory.                   E.g. you can just uncomment the entry “crypto.policy=unlimited” to activate the unlimited policy.

     

     

     

     

     

    Thanks,

    Naveen Potla