Installing JCE for all encryption algorithm and AES-256 support
DataStax recommends installing the JCE Unlimited Strength Jurisdiction Policy Files to ensure support for all encryption algorithms and when using Oracle Java.
DataStax recommends installing the JCE Unlimited Strength Jurisdiction Policy Files to ensure support for all encryption algorithms, especially AES-256 for Kerberos when using Oracle Java.
Some of the cipher suites in the default set of server_encryption_options in cassandra.yaml are included only in the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. To ensure support for all encryption algorithms, install the JCE Unlimited Strength Jurisdiction Policy Files.
By default Kerberos uses the AES-256 cipher. DataStax recommends using AES-256 encryption. OpenJDK includes AES-256. However, Oracle Java does not include the AES-256 cipher due to export restrictions to certain countries. To use AES-256 with Oracle Java, install the JCE Unlimited Strength Jurisdiction Policy Files.
Install the JCE Unlimited Strength Jurisdiction Policy using one of the following methods:
Installing the JCE on RHEL-based systems
sudo yum install epel-release
Installing the JCE on Debian-based systems
Install JCE using webupd8 PPA repository:
sudo apt-get install oracle-java8-unlimited-jce-policy
Installing the JCE using the Oracle JAR
- Download the Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Oracle Java SE download page.
- Unzip the downloaded file.
- Copy local_policy.jar and US_export_policy.jar to the $JAVA_HOME/jre/lib/security directory to overwrite the existing JARS.