Chat now with support
Chat with Support

Safeguard Authentication Services 4.2 - Mac OS X/macOS Administration Guide

One Identity Privileged Access Suite for Unix Installation The Authentication Services Mac OS X components Configuring the Authentication Services client Special Mac OS X features Authentication Services limitations on Mac OS X Authentication Services Group Policy for Mac OS X Certificate Autoenrollment

Java requirement: Unlimited Strength Jurisdiction Policy Files

By default, most JRE and JDK implementations enforce limits on cryptographic key strengths that satisfy US export regulations. These limits are often insufficient for Certificate Autoenrollment and may lead to "java.security.InvalidKeyException: Illegal key size" failures. The "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files" can be installed to remove these limits and enable Certificate Autoenrollment to function properly.

Do I need the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files?

In general the answer is: Yes, these files are needed.

Java 9 and above do not require these files, but Java 6, 7, and 8 rely on these files.

Obtaining and installing the policy files

For Java implementations from IBM, the policy files are usually bundled with the JDK but not the JRE, so it may be more convenient to install the JDK rather than just the JRE. Once the JDK is installed its demo/jce/policy-files/unrestricted directory should contain two JAR files:

  • local_policy.jar
  • US_export_policy.jar

Use these files to replace the corresponding JAR files in the jre/lib/security directory of the JDK. Alternatively, the "Unrestricted SDK JCE policy files" can be downloaded from ibm.com.

For Java implementations from Sun, Oracle and Apple and for OpenJDK implementations, the policy files must be downloaded from Oracle. Each major Java version requires its own policy files:

Each of these downloads is a zip file that includes a README.txt and two JAR files, local_policy.jar and US_export_policy.jar. Use these JAR files to replace the corresponding files in the JRE or JDK:

  • JRE: The lib/security directory usually holds these files.
  • JDK: The jre/lib/security directory usually holds these files.

Installing certificate enrollment web services

The following procedures walk you through the installation and configuration of the required components. If Certificate Autoenrollment is already configured for Windows hosts in your environment, you can skip to Using Certificate Autoenrollment.

To perform these procedures, you need Enterprise Administrator rights to install software and configure Group Policy and Certificate Template policy.

Note: Microsoft has documented all of the steps to install and configure certificate enrollment Web services.

To set up certificate enrollment web services

  1. Review the requirements as specified by Microsoft at: http://technet.microsoft.com/en-us/library/dd759243.aspx.
  2. Follow the instructions at: http://technet.microsoft.com/en-us/library/dd759241.aspx to install the Certificate Enrollment Web Service.
  3. Follow the instructions at: http://technet.microsoft.com/en-us/library/dd759214.aspx to install the Certificate Enrollment Policy Web Service.
  4. Follow the instructions at: http://technet.microsoft.com/en-us/library/dd759140.aspx to configure server certificates for HTTPS.

Certificate enrollment Web services are now installed. Next, you will configure policy settings to enable Certificate Autoenrollment.

Configuring Certificate Services Client - Certificate Enrollment Policy

If you are using Group Policy, you must configure the Certificate Enrollment Policy Web Service group policy setting to provide the location of the web service to domain members. Otherwise, you must manually configure the server URL on each system as explained in Using Certificate Autoenrollment.

To configure certificate enrollment policy

  1. On the web server that hosts the Certificate Enrollment Policy Web Service, open Server Manager.
  2. In the console tree, expand Roles, and then expand Web Server (IIS).
  3. Click Internet Information Services (IIS) Manager.
  4. In the console tree, expand Sites, and click the web service application that begins with ADPolicyProvider_CEP.

    Note: The name of the application is ADPolicyProvider_CEP_AuthenticationType , where AuthenticationType is the web service authentication type.

  5. Under ASP.NET, double-click Application Settings.
  6. Double-click URI, and copy the URI value.
  7. Click Start, type gpmc.msc in the Search programs and files box, and press ENTER.
  8. In the console tree, expand the forest and domain that contain the policy that you want to edit, and click Group Policy Objects.
  9. Right-click the policy that you want to edit, and then click Edit.
  10. In the console tree, navigate to User Configuration | Policies | Windows Settings | Security Settings and click Public Key Policies.
  11. Double-click Certificate Services Client – Certificate Enrollment Policy.
  12. Click Add to open the Certificate Enrollment Policy Server dialog.
  13. In the Enter enrollment policy server URI box, type or paste the certificate enrollment policy server URI obtained earlier.
  14. In the Authentication type list, select the authentication type required by the enrollment policy server (Kerberos).
  15. Click Validate, and review the messages in the Certificate enrollment policy server properties area.
  16. Click Add.

    The Add button is available only when the enrollment policy server URI and authentication type are valid.

  17. In the Group Policy Object Editor, navigate to Computer Configuration | Policies | Windows Settings | Security Settings and click Public Key Policies.
  18. Repeat steps 11-16 for machine configuration.

Configuring Certificate Services Client - Auto-Enrollment Group Policy

If you are using Group Policy, you must enable Certificate Autoenrollment in Group Policy, otherwise, Group Policy may disable Certificate Autoenrollment. If you are not using Group Policy, Certificate Autoenrollment is enabled on each host by default.

To enable Certificate Autoenrollment using Group Policy

  1. On a domain controller running Windows Server 2008 R2 open the Start menu and navigate to Administrative Tools | Group Policy Management.
  2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Group Policy Object (GPO) that you want to edit.
  3. Right-click the GPO, and click Edit.
  4. In the Group Policy Object Editor, navigate to User Configuration | Policies | Windows Settings | Security Settings and click Public Key Policies.
  5. Double-click Certificate Services Client - Auto-Enrollment.
  6. Next to Configuration Model, select Enabled from the drop-down list to enable autoenrollment.
  7. Click OK to accept your changes.
  8. In the Group Policy Object Editor, navigate to Computer Configuration | Policies | Windows Settings | Security Settings and click Public Key Policies.
  9. Repeat steps 5-7 for machine configuration.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating