|Applies To||RSA Product Set: Adaptive Authentication (OnPrem)|
RSA Product/Service Type: Adaptive Authentication (OnPrem)
RSA Version/Condition: 7.3 P1 or later
JAVA Version: Java 8 Update 151 or later
Java 8 Update 151 was released by Java / Oracle (www.java.com) October 17th, 2017.
One of the new features in this release is that the JCE Jurisdiction Policy Files to allow Unlimited Strength is now included with the installation. There are a few methods to implement them. To learn more about this, see: https://www.java.com/en/download/faq/release_changes.xml.
This is a snip from the release notes:
This release introduces a new feature whereby the JCE jurisdiction policy files used by the JDK can be controlled via a new Security property. In older releases, JCE jurisdiction files had to be downloaded and installed separately to allow unlimited cryptography to be used by the JDK. The download and install steps are no longer necessary. To enable unlimited cryptography, one can use the new crypto.policy Security property. If the new Security property (crypto.policy) is set in the java.security file, or has been set dynamically by using the Security.setProperty() call before the JCE framework has been initialized, that setting will be honored.
|Resolution||The recommended method to implement the JCE Unlimited Strength Jurisdiction Policy Security Files is given below:|
Install Java 8 version Update 151 x64 or later.
Navigate to the installation folder lib\security subfolder (C:\Program Files\Java\jre1.8.0_151\lib\security).
Open the java.security file with a text editor.
Locate this section of the file:
To uncomment the entry, remove the leading # character from the crypto.policy=unlimited line.
Restart the Java application that is leveraging this Java installation.
Note: With Update 151 and later, there is no manual requirement to enforce the Unlimited Strength Cryptography. By default, Java performs these orders of operation (as listed in the internal notes of the java.security file):
If the crypto.policy parameter is uncommented and defined as limited or unlimited, Java will use the appropriate security rules defined in the .jar files associated with the matching definition (lib\security\policy\limited or lib\security\policy\unlimited).
If the crypto.policy parameter is commented out (not defined) and the US_export_policy.jar and local_policy.jar files are located in the lib\security folder, Java will use the rules defined in these .jar files.
If the crypto.policy parameter is commented out (not defined) and the US_export_policy.jar and local_policy.jar files are not found in the lib\security folder, Java will default to assume the crypto.policy parameter is defined as unlimited (see the first order of operation above).
As the comments in the java.security file discuss, the legacy method of copying the US_export_policy.jar and local_policy.jar files into the lib\security folder is still supported.
As the Release Notes and the comments in the java.security file discuss, the latest .jar files for Unlimited Strength support are located in this subfolder path: