AES 256-bit encryption and the IBM JRE in configuring Kerberos/SPNEGO

By default, ELM applications that are based on Java technology include an IBM® JRE that does not support Advanced Encryption Standard 256-bit (AES-256) encryption.
The United States export administration regulations for strong cryptography prohibit including such software support. Administrators can enhance an IBM JRE to work with AES-256 encryption by obtaining the IBM Java Cryptography Encryption (JCE) unrestricted policy files from IBM Unrestricted SDK JCE policy files.
Note: You must have a universal IBMid to download the files. If you do not have an IBMid, click the registration link on the page.
Replace the JAR files in the JRE_HOME/lib/security directory on the Java client computers with the downloaded files with the same name, where JRE_HOME is the IBM JRE installation directory.
Important: The Engineering Workflow Management .NET clients (Engineering Workflow Management client for Microsoft Visual Studio IDE, Engineering Workflow Management Windows Explorer integration, and Engineering Workflow Management MS-SCCI Provider) include their own version of the IBM JRE that must be updated as well. Replace the JAR files in the EWM_.NET_Client_Install_Dir\3rd Party\jre directory on the Microsoft .NET client computers with the downloaded files with the same name, where EWM_.NET_Client_Install_Dir is the installation directory for the Microsoft .NET clients.

By default, Microsoft Active Directory tries to use AES-256 encryption. Client computers that do not support AES-256 encryption might cause problems in a Kerberos environment.

You can prevent Active Directory and client computers from using AES-256 encryption. Consider this option if a policy change in the IBM JRE is not wanted. For more information, see Enforcing encryption algorithms on Microsoft Active Directory domain clients.


video icon Video

Jazz.net channel
Software Education channel

learn icon Courses

IoT Academy
Skills Gateway

ask icon Community

Jazz.net
Jazz.net forums
Jazz.net library

support icon Support

IBM Support Community
Deployment wiki