Java Cryptography Extension (JCE) for Zing

If one of the following exceptions is thrown in your application while trying to use strong encryption with key lengths of more than 128 bits, the cause for this is most likely a missing Java Cryptography Extension (JCE):

  • java.security.InvalidKeyException: Illegal key size
  • Cryptographic key type aes256-cts-hmac-sha1-96 not found
  • Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled

For Zing ZVM 17.x.x.x and older, the solution is to install the Zulu Cryptography Extension Kit (Zulu CEK). Zing and Zulu ship with strong encryption, though limited to key lengths of up to 128 bit in earlier versions. The Zulu CEK provides an upgrade to 'unlimited' key sizes. After installing the Zulu CEK, you can use for example AES 256 bits for https, SSL/TLS, Kerberos or other applications of encryption.

The Zulu CEK is compatible to Java SE 6, 7 and 8 on Zing and Zulu.

ZIP for download and installation documentation:
https://www.azul.com/products/zulu-and-zulu-enterprise/zulu-cryptography-extension-kit/

For Zing ZVM 18.x.x.x and newer no configuration or installation of JCE is necessary any more as the unlimited encryption is enabled by default. Zing follows the OpenJDK strategy here which changed to this setting with 8u161. If your application requires the limited policy for compatibility reasons, you can switch back to it by either adding the line crypto.policy=limited to /opt/zing/zing-jdk8/jre/lib/security/java.security or adding the line Security.setProperty("crypto.policy", "limited") to your code.

For Zing ZVM 17.11.x.x and 17.12.x.x, all the above solutions are usable to facilitate the transition. The only difference towards ZVM 18.x.x.x and newer is the default setting, which is limited on 17.11 and 17.12 as it was with OpenJDK 8u152.

 

Add Comment

Comments

0 comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful