Enabling JCE Unlimited

To enable JCE Unlimited, use the crypto.policy Security property introduced in JDK 8u151.

DataStax recommends enabling Java Cryptography Extension (JCE) Unlimited to ensure support for all encryption algorithms, especially AES-256 for Kerberos and SSL when using Oracle Java.

Prior to JDK 1.8.0_151 (8u151), you had to download and install the JCE jurisdiction policy files separately. Those steps are unnecessary in 8u151 and later JDK releases. To enable JCE Unlimited use the crypto.policy Security property introduced in JDK 8u151, as noted in the New Features section of the Oracle JDK 1.8.0_151 Release Notes.

cassandra.yaml

The location of the cassandra.yaml file depends on the type of installation:
Package installations /etc/dse/cassandra/cassandra.yaml
Tarball installations installation_location/resources/cassandra/conf/cassandra.yaml

Enabling JCE Unlimited Cryptography

To enable JCE Unlimited Cryptography in environments with JDK 8u151 or later, set the following Security property in the java.security file:
crypto.policy=unlimited

When set in java.security, or when declared dynamically using the Security.setProperty() call before the JCE framework has been initialized, the unlimited setting is used by the JDK.

Note: Starting in JDK 8u161, JCE Unlimited is enabled by default. Refer to the Release Notes for JDK 8u161.

Some of the cipher suites in the default set of server_encryption_options in cassandra.yaml are included only in the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.

By default Kerberos uses the AES-256 cipher. DataStax recommends using AES-256 encryption. OpenJDK includes AES-256. However, Oracle Java does not include the AES-256 cipher due to export restrictions to certain countries. To use AES-256 with Oracle Java, install the JCE Unlimited Strength Jurisdiction Policy Files.

If your environment uses a JDK version prior to 8u151, which released in October 2017, refer to the download and install steps in the following sections.

Installing JCE Unlimited for pre-8u151 JDK environments on RHEL-based systems

If your JDK on RHEL-based systems must use a pre-8u151 JDK:

  1. Install the JCE using the Oracle JAR:
    1. Download the Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Oracle Java SE download page under Additional Resources.
    2. Unzip the downloaded file.
    3. Copy local_policy.jar and US_export_policy.jar to the $JAVA_HOME/jre/lib/security directory to overwrite the existing JARS.
    4. Check permissions of installed files so they are readable by all users.

Installing JCE Unlimited for pre-8u151 JDK environments on Debian-based systems

If your JDK on Debian-based systems must use a pre-8u151 JDK:

Install JCE using webupd8 PPA repository:

sudo apt-get install oracle-java8-unlimited-jce-policy
Note: If the repository is not available in your environment, add it and then install. For example:
sudo add-apt-repository ppa:webupd8team/java