000036988 - How to update Java JCE Security Files with Java 8 update 151 or later in RSA Adaptive Authentication (on Premise)

Document created by RSA Customer Support Employee on Dec 5, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036988
Applies ToRSA Product Set: Adaptive Authentication (OnPrem)
RSA Product/Service Type: Adaptive Authentication (OnPrem)
RSA Version/Condition: 7.3 P1 or later
JAVA Version: Java 8 Update 151 or later
Java 8 Update 151 was released by Java / Oracle (www.java.com) October 17th, 2017.

One of the new features in this release is that the JCE Jurisdiction Policy Files to allow Unlimited Strength is now included with the installation. There are a few methods to implement them. To learn more about this, see: https://www.java.com/en/download/faq/release_changes.xml.

This is a snip from the release notes:
This release introduces a new feature whereby the JCE jurisdiction policy files used by the JDK can be controlled via a new Security property. In older releases, JCE jurisdiction files had to be downloaded and installed separately to allow unlimited cryptography to be used by the JDK. The download and install steps are no longer necessary. To enable unlimited cryptography, one can use the new crypto.policy Security property. If the new Security property (crypto.policy) is set in the java.security file, or has been set dynamically by using the Security.setProperty() call before the JCE framework has been initialized, that setting will be honored.
ResolutionThe recommended method to implement the JCE Unlimited Strength Jurisdiction Policy Security Files is given below:
Install Java 8 version Update 151 x64 or later.
Navigate to the installation folder lib\security subfolder (C:\Program Files\Java\jre1.8.0_151\lib\security).
Open the java.security file with a text editor.
Locate this section of the file:

# The policy files are jar files organized into subdirectories of
# <java-home>/lib/security/policy.  Each directory contains a complete
# set of policy files.
# The "crypto.policy" Security property controls the directory selection,
# and thus the effective cryptographic policy.
# The default set of directories is:
#     limited | unlimited
# however other directories can be created and configured.
# To support older JDK Update releases, the crypto.policy property
# is not defined by default. When the property is not defined, an
# update release binary aware of the new property will use the following
# logic to decide what crypto policy files get used :
# * If the US_export_policy.jar and local_policy.jar files are located
# in the (legacy) <java-home>/lib/security directory, then the rules
# embedded in those jar files will be used. This helps preserve compatibility
# for users upgrading from an older installation.
# * If crypto.policy is not defined and no such jar files are present in
# the legacy locations, then the JDK will use the limited settings
# (equivalent to crypto.policy=limited)
# Please see the JCA documentation for additional information on these
# files and formats.

To uncomment the entry, remove the leading # character from the crypto.policy=unlimited line.
Restart the Java application that is leveraging this Java installation.

Note: With Update 151 and later, there is no manual requirement to enforce the Unlimited Strength Cryptography. By default, Java performs these orders of operation (as listed in the internal notes of the java.security file):
If the crypto.policy parameter is uncommented and defined as limited or unlimited, Java will use the appropriate security rules defined in the .jar files associated with the matching definition (lib\security\policy\limited or lib\security\policy\unlimited).
If the crypto.policy parameter is commented out (not defined) and the US_export_policy.jar and local_policy.jar files are located in the lib\security folder, Java will use the rules defined in these .jar files.
If the crypto.policy parameter is commented out (not defined) and the US_export_policy.jar and local_policy.jar files are not found in the lib\security folder, Java will default to assume the crypto.policy parameter is defined as unlimited (see the first order of operation above).

As the comments in the java.security file discuss, the legacy method of copying the US_export_policy.jar and local_policy.jar files into the lib\security folder is still supported.
As the Release Notes and the comments in the java.security file discuss, the latest .jar files for Unlimited Strength support are located in this subfolder path:

C:\Program Files\Java\jre1.8.0_151\lib\security\policy\unlimited