Installing JCE

Install the JCE Unlimited Strength Jurisdiction Policy Files to ensure support for all encryption algorithms, especially AES-256 for Kerberos and SSL when using Oracle Java.

DataStax recommends installing the JCE Unlimited Strength Jurisdiction Policy Files to ensure support for all encryption algorithms, especially AES-256 for Kerberos and SSL when using Oracle Java. The files must be installed on every node in the DataStax Enterprise cluster.
Note: Starting in JDK 8u161, the JCE is enabled by default. See the Release Note for JDK-8170157

Some of the cipher suites in the default set of server_encryption_options in cassandra.yaml are included only in the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. To ensure support for all encryption algorithms, install the JCE Unlimited Strength Jurisdiction Policy Files.

By default Kerberos uses the AES-256 cipher. DataStax recommends using AES-256 encryption. OpenJDK includes AES-256. However, Oracle Java does not include the AES-256 cipher due to export restrictions to certain countries. To use AES-254 with Oracle Java, install the JCE Unlimited Strength Jurisdiction Policy Files.

Install the JCE Unlimited Strength Jurisdiction Policy using one of the following methods:

cassandra.yaml

The location of the cassandra.yaml file depends on the type of installation:
Package installations /etc/dse/cassandra/cassandra.yaml
Tarball installations installation_location/resources/cassandra/conf/cassandra.yaml

Installing the JCE on RHEL-based systems

  1. Install the JCE using the Oracle JAR:
    1. Download the Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Oracle Java SE download page under Additional Resources.
    2. Unzip the downloaded file.
    3. Copy local_policy.jar and US_export_policy.jar to the $JAVA_HOME/jre/lib/security directory to overwrite the existing JARS.
    4. Check permissions of installed files so they are readable by all users.

Installing the JCE on Debian-based systems

Install JCE using webupd8 PPA repository:

sudo apt-get install oracle-java8-unlimited-jce-policy
Note: If the repository is not available in your environment, add it and then install. For example:
sudo add-apt-repository ppa:webupd8team/java