How to Avoid Installing "Unlimited Strength" Jce Policy Files When Deploying an Application

  • Home
  • Languages
  • Java
  • How to Avoid Installing "Unlimited Strength" Jce Policy Files When Deploying an Application

Java Error: please install JCE Unlimited Strength Jurisdiction Policy files

I have gone through similar issue but with eclipse instead Intellij.
It could be the problem with the jdk(multiple versions) and jre. Go to your C:\Program Files\Java directory, add the NEWLY DOWNLOADED JCE jars (depending upon the Java version) inside security folder of each of JDK & JRE you have installed.

Providing JCE policies without patching the JRE

Okay, I was actually able to bypass the policies using java reflection: How to avoid installing "Unlimited Strength" JCE policy files when deploying an application?

Looks like a dirty hack, but does work and doesn't require any licensing, signing and all that stuff.

Why are the JCE Unlimited Strength not included by default?


  • As it turns out, it's not strict crypto export laws, but simply that no one got around to it yet.
  • In fact, it's been planned for a long time to not have to jump through these hoops.
  • In Java 9, the ceremony will be condensed down to a one-liner: Security.setProperty("crypto.policy", "unlimited");

Don't want to use unlimited strength policy files

Your code snippet throws an InvalidKeyException despite using BouncyCastle, because you are not using the BC Lightweight API. If you access BC through the JCE API then the same limits on crypto strength apply as with Sun/Oracle providers.

PKCS#12 files are usually encrypted with 3DES (pbeWithSHA1And3-KeyTripleDES-CBC), which is not restricted by the default policy file. However, PKCS#12 allows the use of arbitrary encryption algorithms, so it seems like you got a p12 file that is encrypted with another algorithm. You can check this with openssl:

openssl pkcs12 -in host.p12 -info -noout

The encryption algorithm should change when you convert the keystore to JKS or JCEKS (more secure) with keytool:

keytool -importkeystore -srckeystore host.p12 -srcstoretype PKCS12 -deststoretype JCEKS -destkeystore host.jks

Of course you will have to adapt your code then:

KeyStore keyStore = KeyStore.getInstance("JCEKS");

You could even convert the JCEKS keystore back to PKCS12 with keytool. Keytool generates PKCS12 files with pbeWithSHA1And3-KeyTripleDES-CBC.

Error install JCE Unlimited Strength Jurisdiction Policy files

I found a solution to the problem. I replaced the files only in the folder "jre". It is also necessary to replace the files in the folder "jdk".


Related Topics

How to Schedule a Periodic Task in Java

Looking for a CSS Parser in Java

Any Good Orm Tools for Android Development

Understand the R Class in Android

Is There a Quick Way to Delete a File from a Jar/War Without Having to Extract the Jar and Recreate It

Kiosk Mode for Linux Java Swing Application

Equivalent of Data Protection API on Linux

Linux Start-Up Script for Java Application

Eclipse Swt Browser Crash (Linux 64Bit)

Connect as User with No Password Set on Postgresql 8.4 via Jdbc

How to Pass an Array as Arguments to a Method With Variable Arguments in Java

Spring Security Does Not Allow CSS or Js Resources to Be Loaded

How to Check If an App Running on Android

How to Use the Legacy Apache Http Client on Android Marshmallow

Java_Home Directory in Linux

Why Stringbuilder Stops Adding Elements After Using the Null Character

Problems Installing Java Ee Sdk on Linux

How to Set Classpath in Linux to Let Java Find Jar File


Leave a reply



Submit