AES-256 support

DataStax recommends installing the JCE Unlimited Strength Jurisdiction Policy Files when using Oracle Java.

Some of the cipher suites in the default set of server_encryption_options in cassandra.yaml are included only in the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. To ensure support for all encryption algorithms, install the JCE Unlimited Strength Jurisdiction Policy Files.

By default Kerberos uses the AES-256 cipher. DataStax recommends using AES-256 encryption. OpenJDK includes AES-256. However, Oracle Java does not include the AES-256 cypher due to export restrictions to certain countries. To use AES-245 with Oracle Java, install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy using one of the following methods:

Installing the JCE on RHEL-based systems

Install the EPEL repository:
$ sudo yum install epel-release

Installing the JCE on Debian-based systems

Install JCE using webupd8 PPA repository:

$ sudo apt-get install oracle-java8-unlimited-jce-policy

Installing the JCE using the Oracle JAR

  1. Download the Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Oracle Java SE download page.
  2. Unzip the downloaded file.
  3. Copy local_policy.jar and US_export_policy.jar to the $JAVA_HOME/jre/lib/security directory to overwrite the existing JARS.