Configure Java Encryption

  1. Extract local_policy.jar and US_export_policy.jar from the unlimited strength policy files and copy them into the following location(s) .
    Configuration JDK Location
    All installations

    $JAVA_HOME/jre/lib/security

    WebSphere installations $WAS_HOME/java/jre/lib/security
  2. Locate the java.security file in the /security directory.
  3. Verify that the file permissions on the java.security file allow write access for "owner", "group", and "other".

    If they do not, change permissions on the file.

    chmod 777 java.security

  4. Use a text editor to open the java.security file. Add the following line.
    security.provider.ProviderNumber=org.bouncycastle.jce.provider.BouncyCastleProvider

    where ProviderNumber is the number that reflects the position where the line appears in the file.

    You must change the ProviderNumber for each security.provider that appears after the Bouncy Castle line.

    • For Oracle JDK, the security.provider line for Bouncy Castle must come AFTER the sun.security.provider.Sun line.

      Oracle JDK Example

      security.provider.1=sun.security.provider.Sun
      security.provider.2=sun.security.rsa.SunRsaSign
      security.provider.3=com.sun.net.ssl.internal.ssl.Provider
      security.provider.4=org.bouncycastle.jce.provider.BouncyCastleProvider
      security.provider.5=com.sun.crypto.provider.SunJCE
      security.provider.6=sun.security.jgss.SunProvider
      security.provider.7=com.sun.security.sasl.Provider
      
    • For IBM JDK, the security.provider line for Bouncy Castle must come AFTER the com.ibm.crypto.provider.IBMJCE line.

      IBM JDK Example

      security.provider.1=com.ibm.crypto.provider.IBMJCE
      security.provider.2=com.ibm.jsse.IBMJSSEProvider
      security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider
      security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
      security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
      security.provider.6=com.ibm.security.cert.IBMCertPath
      security.provider.7=com.ibm.crypto.pkcs11.provider.IBMPKCS11
      security.provider.8=com.ibm.security.cmskeystore.CMSProvider
      security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
  5. Change file permissions on the java.security file to read/execute access for "owner", "group", and "other".

    chmod 555 java.security

  6. Repeat these steps for all JDKs used by your system, including the java.security files for JDKs on machines running applications that connect to Lawson using the Distributed Single Sign-on solution (DSSO). (This includes the JDKs embedded in the application server.)
    • The java.security file for the WebSphere JDK, located in:

    • The java.security files for JDKs on machines running applications that connect to Lawson using the Distributed Single Sign-on Solution (DSSO).

    Now you are ready to verify the encryption algorithms.