Work in progress
This site is in the process of being reviewed and updated.
Introduction
Due to export control restrictions, JDK 5.0 environments do not ship with support for AES-256 enabled. Kerberos uses AES-256 in the 'aes256-cts-hmac-sha1-96' encryption type. To enable AES-256, you must download "unlimited strength" policy JAR files for your JRE. Policy JAR files are signed by the JRE vendor so you must download policy JAR files for Sun, IBM, etc. separately. Also, policy files may be different for each platform, such as i386, Solaris, or HP.
Installation
- Download the unlimited strength policy JAR files.
Vendor
Link
Details
IBM
Scroll down to "IBM SDK Policy files." The same files are used for the Version 1.4 and Version 5 SDKs.
Sun
Scroll down to "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 5.0" under "Other Downloads"
- Extract the unlimited strength policy JAR files.
File
Description
local_policy.jar
Unlimited strength local policy file
US_export_policy.jar
Unlimited strength US export policy file
- Install the unlimited strength policy JAR files by copying them to the standard location. <jre-home> refers to the directory where the J2SE Runtime Environment (JRE) was installed. Adjust pathname separators for your environment.
Standard Location
Platform
<jre-home>/lib/security
Solaris
<jre-home>\lib\security
Win32
- Optionally, create subfolders in <jre-home>/lib/security, named, for example, "limited" and "unlimited" so you can switch between policy files easily, by copying the policy JAR files from one of the subfolders to the <jre-home>/lib/security directory.