By default, most JRE and JDK implementations enforce limits on cryptographic key strengths that satisfy US export regulations. These limits are often insufficient for Certificate Autoenrollment and may lead to "java.security.InvalidKeyException: Illegal key size" failures. The "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files" can be installed to remove these limits and enable Certificate Autoenrollment to function properly.
In general the answer is: Yes, these files are needed.
Java 9 and above do not require these files, but Java 6, 7, and 8 rely on these files.
For Java implementations from IBM, the policy files are usually bundled with the JDK but not the JRE, so it may be more convenient to install the JDK rather than just the JRE. Once the JDK is installed its demo/jce/policy-files/unrestricted directory should contain two JAR files:
Use these files to replace the corresponding JAR files in the jre/lib/security directory of the JDK. Alternatively, the "Unrestricted SDK JCE policy files" can be downloaded from ibm.com.
For Java implementations from Sun, Oracle and Apple and for OpenJDK implementations, the policy files must be downloaded from Oracle. Each major Java version requires its own policy files:
Each of these downloads is a zip file that includes a README.txt and two JAR files, local_policy.jar and US_export_policy.jar. Use these JAR files to replace the corresponding files in the JRE or JDK:
The following procedures walk you through the installation and configuration of the required components. If Certificate Autoenrollment is already configured for Windows hosts in your environment, you can skip to Using Certificate Autoenrollment.
To perform these procedures, you need Enterprise Administrator rights to install software and configure Group Policy and Certificate Template policy.
Note: Microsoft has documented all of the steps to install and configure certificate enrollment Web services.
To set up certificate enrollment web services
Certificate enrollment Web services are now installed. Next, you will configure policy settings to enable Certificate Autoenrollment.
If you are using Group Policy, you must configure the Certificate Enrollment Policy Web Service group policy setting to provide the location of the web service to domain members. Otherwise, you must manually configure the server URL on each system as explained in Using Certificate Autoenrollment.
To configure certificate enrollment policy
In the console tree, expand Sites, and click the web service application that begins with ADPolicyProvider_CEP.
Note: The name of the application is ADPolicyProvider_CEP_AuthenticationType , where AuthenticationType is the web service authentication type.
Click Add.
The Add button is available only when the enrollment policy server URI and authentication type are valid.
If you are using Group Policy, you must enable Certificate Autoenrollment in Group Policy, otherwise, Group Policy may disable Certificate Autoenrollment. If you are not using Group Policy, Certificate Autoenrollment is enabled on each host by default.
To enable Certificate Autoenrollment using Group Policy
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center