Java Cryptography Extension (JCE) for Azul Zulu Prime Builds of OpenJDK

If one of the following exceptions is thrown in your application while trying to use strong encryption with key lengths of more than 128 bits, the cause for this is most likely a missing Java Cryptography Extension (JCE):

  • java.security.InvalidKeyException: Illegal key size
  • Cryptographic key type aes256-cts-hmac-sha1-96 not found
  • Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled

For Azul Zulu Prime JVM 17.x.x.x and older, the solution is to install the Zulu Cryptography Extension Kit (Zulu CEK). Azul Zulu Prime and Azul Zulu ship with strong encryption, though limited to key lengths of up to 128 bit in earlier versions. The Zulu CEK provides an upgrade to 'unlimited' key sizes. After installing the Zulu CEK, you can use for example AES 256 bits for https, SSL/TLS, Kerberos or other applications of encryption.

The Zulu CEK is compatible to Java SE 6, 7 and 8 on Azul Zulu Prime Builds of OpenJDK and Zulu Builds of OpenJDK.

For Azul Zulu Prime JVM 18.x.x.x and newer no configuration or installation of JCE is necessary any more as the unlimited encryption is enabled by default. Azul Zulu Prime JDK follows the OpenJDK strategy here which changed to this setting with 8u161. If your application requires the limited policy for compatibility reasons, you can switch back to it by either adding the line crypto.policy=limited to /opt/zing/zing-jdk8/jre/lib/security/java.security or adding the line Security.setProperty("crypto.policy", "limited") to your code.

For Azul Zulu Prime JVM 17.11.x.x and 17.12.x.x, all the above solutions are usable to facilitate the transition. The only difference towards Azul Zulu Prime JVM 18.x.x.x and newer is the default setting, which is limited on 17.11 and 17.12 as it was with OpenJDK 8u152.

For Azul Platform Core users of Azul Zulu Builds of OpenJDK: The CEK is no longer needed beginning in Jan 2018 builds (e.g. Zulu 8.27, 7.22, 6.19 and up, and Zing 18.x and up) since they now include the unlimited strength policy files.

If you are using older versions which require the CEK, please contact Azul Support.

 

 

Add Comment

Comments

0 comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful