Enable JCE Unlimited

DataStax recommends enabling Java Cryptography Extension (JCE) Unlimited to ensure support for all encryption algorithms.

cassandra.yaml has a default set of cipher suites for server_encryption_options. Some of the cipher suites in the default set are included only in the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.

Verify that JCE Unlimited is enabled

Starting in JDK 8u161, JCE Unlimited is enabled by default.

If your environment has JDK 8u151 or later, and you previously disabled JCE Unlimited Cryptography, reenable it by setting the crypto.policy Security property to unlimited.

  • Set crypto.policy in java.security

  • Set crypto.policy at runtime

Set the following property in the java.security file:

crypto.policy=unlimited

Declare crypto.policy=unlimited dynamically using the Security.setProperty() call before the JCE framework has been initialized.

Use AES-256 with Kerberos

By default Kerberos uses the AES-256 cipher, and DataStax recommends using AES-256 encryption.

  • JDK versions 8u161 and later: OpenJDK and Oracle Java version 8u161 and later include support for AES-256 by default. If you are running JDK 8u161 or later, no additional configuration is required as long as JCE Unlimited is enabled.

  • JDK versions earlier than 8u161: If your environment uses an Oracle JDK version earlier than 8u161, you must install the JCE Unlimited Strength Jurisdiction Policy Files to use the AES-256 cipher with Kerberos. For instructions, see Install JCE Unlimited for pre-8u151 JDK environments.

Install JCE Unlimited for pre-8u151 JDK environments

If your environment uses a JDK version earlier than 8u151 (October 2017), you must download and install JCE Unlimited.

  • RHEL-based systems

  • Debian-based systems

Install the JCE using the Oracle JAR:

  1. Download the Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.

  2. Unzip the downloaded file.

  3. Copy local_policy.jar and US_export_policy.jar to the $JAVA_HOME/jre/lib/security directory to overwrite the existing JARS.

  4. Check the permissions of the installed files to verify that they are readable by all users.

Install JCE using the webupd8 PPA repository:

sudo apt-get install oracle-java8-unlimited-jce-policy

If the repository is not available in your environment, add it, and then rerun the install command:

sudo add-apt-repository ppa:webupd8team/java

See also

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2025 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM