Enabling JCE Unlimited
DataStax recommends enabling Java Cryptography Extension (JCE) Unlimited to ensure support for all encryption algorithms, especially
AES-256 for Kerberos and SSL when using Oracle Java.
Prior to JDK 1.8.0_151 (
8u151), you had to download and install the JCE jurisdiction policy files separately.
Those steps are unnecessary in
8u151 and later JDK releases.
To enable JCE Unlimited use the
crypto.policy Security property introduced in JDK
8u151, as noted in the New Features section of the Oracle JDK 1.8.0_151 Release Notes.
Enabling JCE Unlimited Cryptography
To enable JCE Unlimited Cryptography in environments with JDK
8u151 or later, set the following Security property in the
When set in
java.security, or when declared dynamically using the
Security.setProperty() call before the JCE framework has been initialized, the
unlimited setting is used by the JDK.
Starting in JDK
The location of the
cassandra.yaml file depends on the type of installation:
Some of the cipher suites in the default set of
cassandra.yaml are included only in the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.
By default Kerberos uses the
DataStax recommends using
However, Oracle Java does not include the
AES-256 cipher due to export restrictions to certain countries.
AES-256 with Oracle Java, install the JCE Unlimited Strength Jurisdiction Policy Files.
If your environment uses a JDK version prior to
8u151, which released in October 2017, refer to the download and install steps in the following sections.
Installing JCE Unlimited for pre-8u151 JDK environments on RHEL-Based systems
If your JDK on RHEL-based systems must use a pre-8u151 JDK:
Install the JCE using the Oracle JAR:
Download the Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Oracle Java SE download page under Additional Resources.
Unzip the downloaded file.
$JAVA_HOME/jre/lib/securitydirectory to overwrite the existing JARS.
Check permissions of installed files so that they are readable by all users.
Installing JCE Unlimited for pre-8u151 JDK Environments on Debian-Based Systems
If your JDK on Debian-based systems must use a pre-8u151 JDK, then install JCE using webupd8 PPA repository:
sudo apt-get install oracle-java8-unlimited-jce-policy
If the repository is not available in your environment, add it and then install.
Steps to remove