Skip to main content

Java Cryptography Extension (JCE)

By default the Java cryptographic keys have the limited maximum key length 128-bits. This is due to various legal aspects, but anyhow some applications require keys longer than 128. Therefore you can use the JCE patch to remove this limitation of Java.

How to install the JCE patch
  1. Go to the "/lib/security" folder and remove "local_policy.jar" and "US_export_policy.jar" from there. (cut and past them to backup them at some other place)
  2. Download the jce_policy-6.zip from here 
  3. Extract the downloaded jce_policy-6.zip
  4. Copy "local_policy.jar" and "US_export_policy.jar" from the extracted "jce" folder to "/lib/security"

Now your JVM must be restarted for patch to be effected so restarting your Java application is required.

Popular posts from this blog

How To Read A SAML 2.0 Response With OpenSAML

This blog post provides step by step to read a SAML Response message sent by the Identity Provider in a SAML 2.0 Single Sign On environment. I'm using the Java OpenSAML 2.2.3 library.


Fetching the SAML Response message from the HttpServletRequest

According to the SAML 2.0 Bindings specification, the Identity Provider MUST send the SAML Response with the parameter name "SAMLResponse".
String responseMessage = httpServletRequest.getParameter("SAMLResponse");
Base64 Decode the response

byte[] base64DecodedResponse = Base64.decode(responseMessage);
Unmarshalling the response

First we need to create a DOM Element object out of the response string.
ByteArrayInputStream is = new ByteArrayInputStream(base64DecodedResponse); DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); documentBuilderFactory.setNamespaceAware(true); DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder(); Document document = docBuilder.parse(is); El…

How To Enable SSL Debugging In Tomcat

When you develop web applications SSL issues are encountered very often. So it is better if we can enable SSL debugging at Tomcat level. To get this done all you need to do is to add the following Java system property to the catalina.sh file which can be found in the [tomcat-home]/bin/catalina.sh path.

-Djavax.net.debug=ssl \
Where to put this line in depends on how you run the catalina file. For example if you are using the command, sh catalina.sh run then you have to put this line run code as bellow,
elif [ "$1" = "run" ]; then shift if [ "$1" = "-security" ] ; then if [ $have_tty -eq 1 ]; then echo "Using Security Manager" fi shift exec "$_RUNJAVA" "$LOGGING_CONFIG" $JAVA_OPTS $CATALINA_OPTS \ -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ -Djava.security.manager \ -Djava.security.policy=="$CATALINA_BASE"/conf/ca…

Exporting The Private Key Of A JKS As A PEM File

This is indeed a frequent use case  but the Java Keytool doesn't provide an easy way to get this done. I came across this requirement when I was configuring the Apache2 as a proxy to balance the load between WSO2 Identity Server nodes.

Lets say you have a JKS type keystore (say wso2carbon.jks) with your private key in it.

Step 1 : Convert the JKS into to a P12
keytool -importkeystore -srckeystore wso2carbon.jks -destkeystore server.p12 -srcstoretype jks -deststoretype pkcs12
Step 2 : Export the Private Key as a PEM file
openssl pkcs12 -in server.p12 -out server.pem The server.pem file is the Private Key certificate exported.

Step 3 : Exporting the Certificate
openssl x509 -outform der -in server.pem -out server.crt The server.crt file is the Public Key certificate exported.


Now you can use these two files when configuring Apache2 as,

SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.pem