Configuring the JDK for Rights Management Encryption Using AES 256-bit Keys

The default length of the Advanced Encryption Standard (AES) key used to encrypt the contents of a document to which a Rights Management policy is applied is 128 bits. To use a key that is 256 bits, you have to replace the JDK’s “policy files” with “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6” which is a separate download. For version 6 of the Oracle/Sun HotSpot JDK, you can download it here.

To apply it:

1) Stop all Java processes using the JDK.
2) Unzip the downloaded file.
3) In the /JCE folder, you’ll get two JAR files – local_policy.jar and US_export_policy.jar Copy these two JAR files to the your JDK’s /jre/lib/security/ folder, replacing the similarly named files that are already there.
4) Start all Java processes using the JDK.


From various Sun/Oracle license agreements:

The JCE architecture allows users to enforce restrictions regarding the cryptographic algorithms and maximum cryptographic strengths available to applets/applications in different jurisdiction contexts (locations).

Any such restrictions are specified in “jurisdiction policy files”.

Due to import control restrictions by the governments of a few countries, the jurisdiction policy files shipped specify that “strong” but limited cryptography may be used. An “unlimited strength” version of these files indicating no restrictions on cryptographic strengths is available for those living in eligible countries (which is most countries). But only the “strong” version can be imported into those countries whose governments mandate restrictions. The JCE framework will enforce the restrictions specified in the installed jurisdiction policy files.

Encryption software exports are also governed by the United States Department of Commerce’s Bureau of Industry and Security “Export Administration Regulations” (EARs). For example “15 CFR Supplement No. 1 to Part 740 – Country Groups” Country Group E:1 currently lists Cuba, Iran, North Korea, Sudan and Syria as requiring special licenses for encryption software. More here.

The error messages you might get include this one:

ERROR [com.adobe.livecycle.encryption.client.EncryptionServiceException] ALC-ENC-100-019 ACRO_9 compatibility implies 256 bit AES encryption, which requires JCE unlimited strength jurisdiction policy files to be installed on the JVM

This entry was posted in Document Services, Adobe LiveCycle ES2 (9.0.x), ADEP and tagged , , , . Bookmark the permalink.

Comments are closed.