I think I've resolved it and it appears to be unrelated to the JCE libs.  
Using jdk 1.8.162 as-is, with #crypto.policy=unlimited comment out as is 
delivered.

I was using cas-management to add the jwt properties and added one too 
many.  When my service has the below, it works without jce error:

.............
  properties:
  {
    @class: java.util.LinkedHashMap
    jwtAsServiceTicket:
    {
      @class: org.apereo.cas.services.DefaultRegisteredServiceProperty
      values:
      [
        java.util.HashSet
        [
          "true"
        ]
      ]
    }
  }


But when it has these two entries, it fails with jce error which was 
apparently a JCE red herring.

  properties:
  {
    @class: java.util.LinkedHashMap
    jwtAsServiceTicket:
    {
      @class: org.apereo.cas.services.DefaultRegisteredServiceProperty
      values:
      [
        java.util.HashSet
        [
          "true"
        ]
      ]
    }
    jwtAsResponse:
    {
      @class: org.apereo.cas.services.DefaultRegisteredServiceProperty
      values:
      [
        java.util.HashSet
        [
          "true"
        ]
      ]
    }
  }



On Tuesday, April 10, 2018 at 10:05:14 AM UTC-5, William E. wrote:
>
> Hi Mike,
>
> Thanks for replying.  
>
> 1. Cas startup says "JCE Installed: Yes " but fails to find AES??
>
> 2. Isn't unlimited the default and verified by the jsunscript test?
>
> From the 1.8.162 java.security file you reference:
>
> # Cryptographic Jurisdiction Policy defaults
> #
> # Import and export control rules on cryptographic software vary from
> # country to country.  By default, the JDK provides two different sets of
> # cryptographic policy files:
> #
> #     unlimited:  These policy files contain no restrictions on 
> cryptographic
> #                 strengths or algorithms.
> #
> #     limited:    These policy files contain more restricted cryptographic
> #                 strengths, and are still available if your country or
> #                 usage requires the traditional restrictive policy.
> #
> # The JDK JCE framework uses the unlimited policy files by default.
> # However the user may explicitly choose a set either by defining the
> # "crypto.policy" Security property or by installing valid JCE policy
> # jar files into the traditional JDK installation location.  To better
> # support older JDK Update releases, the "crypto.policy" property is not
> # defined by default.  See below for more information.
> #
> # The following logic determines which policy files are used:
> #
> #         <java-home> refers to the directory where the JRE was
> #         installed and may be determined using the "java.home"
> #         System property.
> #
> # 1.  If the Security property "crypto.policy" has been defined,
> #     then the following mechanism is used:
> #
> #     The policy files are stored as jar files in subdirectories of
> # <java-home>/lib/security/policy.  Each directory contains a complete
> # set of policy files.
> #
> #     The "crypto.policy" Security property controls the directory
> #     selection, and thus the effective cryptographic policy.
> #
> # The default set of directories is:
> #
> #     limited | unlimited
> #
> # 2.  If the "crypto.policy" property is not set and the traditional
> #     US_export_policy.jar and local_policy.jar files
> #     (e.g. limited/unlimited) are found in the legacy
> #     <java-home>/lib/security directory, then the rules embedded within
> #     those jar files will be used. This helps preserve compatibility
> # for users upgrading from an older installation.
> #
> # 3.  If the jar files are not present in the legacy location
> #     and the "crypto.policy" Security property is not defined,
> #     then the JDK will use the unlimited settings (equivalent to
> #     crypto.policy=unlimited)
> #
> # Please see the JCA documentation for additional information on these
> # files and formats.
> #
> # YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
> # TO DETERMINE THE EXACT REQUIREMENTS.
> #
> # Please note that the JCE for Java SE, including the JCE framework,
> # cryptographic policy files, and standard JCE providers provided with
> # the Java SE, have been reviewed and approved for export as mass market
> # encryption item by the US Bureau of Industry and Security.
> #
> # Note: This property is currently used by the JDK Reference 
> implementation.
> # It is not guaranteed to be examined and used by other implementations.
> #
> #crypto.policy=unlimited
>
>
>
> # pwd; find .
> /usr/java/jdk1.8.0_162/jre/lib/security
> .
> ./cacerts
> ./javaws.policy
> ./trusted.libraries
> ./java.security
> ./blacklisted.certs
> ./java.policy
> ./blacklist
> ./policy
> ./policy/limited
> ./policy/limited/US_export_policy.jar
> ./policy/limited/local_policy.jar
> ./policy/unlimited
> ./policy/unlimited/US_export_policy.jar
> ./policy/unlimited/local_policy.jar
>
>
>
> -William
>
>
> On Tuesday, April 10, 2018 at 9:45:41 AM UTC-5, Michael A Grady wrote:
>>
>> The easiest way to get the latest versions of Java to use unlimited 
>> strength algorithms is to:
>>
>>  Modify the file (within the Java directory):
>>
>>       jre/lib/security/java.security 
>>
>>  change the commented out property, near the end of the file:
>>
>>       #crypto.policy=unlimited
>>
>> by simply removing the comment marker:
>>
>>       crypto.policy=unlimited
>>
>> On Apr 10, 2018, at 8:58 AM, William E. <wre...@uah.edu> wrote:
>>
>> Has anyone run into a problem with the JCE files on newer JDK's?  It is 
>> my understanding that jdk 1.8.161 and later includes the jce unlimited 
>> cryptography libs by default, and command line testing seems to confirm 
>> this, but CAS 5.2.3 fails with the following:
>>
>> Caused by: java.lang.RuntimeException: Is JCE Unlimited Strength 
>> Jurisdiction Policy installed? AES is an unknown, unsupported or 
>> unavailable enc algorithm (not one of [A128CBC-HS256, A192CBC-HS384, 
>> A256CBC-HS512, A128GCM, A192GCM, A256GCM]).
>>
>> CAS startup shows the correct JDK is being used and JCE is present:
>>
>> CAS Version: 5.2.3 
>> CAS Commit Id: 14850a4ef16ef32ce6390f62fda566fdb8fa3948 
>> CAS Build Date/Time: 2018-03-07T20:08:12Z 
>> Spring Boot Version: 1.5.8.RELEASE 
>> ------------------------------------------------------------ 
>> Java Home: /usr/java/jdk1.8.0_162/jre 
>> Java Vendor: Oracle Corporation 
>> Java Version: 1.8.0_162 
>> ..............
>> JCE Installed: Yes 
>> ..............
>>
>>
>> Command line testing shows it is enabled:
>>
>> $ env | grep JAVA
>> JAVA_HOME=/usr/java/jdk1.8.0_162
>>
>> $ which jrunscript
>> /usr/java/jdk1.8.0_162/bin/jrunscript
>>
>> $ jrunscript -e "print (javax.crypto.Cipher.getMaxAllowedKeyLength('AES') 
>> >= 256)"
>> true
>>
>>
>> I am at a loss...
>>
>> Anyone have ideas??
>>
>> Out of desperation I downloaded the jce files from oracle and put them in 
>> the usual place(/jre/lib/security) and restarted tomcat but still same 
>> error.  Using openjdk 8 which should also include the jce unlimited jars 
>> also gives the same cas error.
>>
>> Thanks,
>> William
>>
>>
>>
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/718bdd24-4d97-4723-8f00-a156f7c79757%40apereo.org
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/718bdd24-4d97-4723-8f00-a156f7c79757%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
>>
>> --
>> Michael A. Grady
>> IAM Architect, Unicon, Inc.
>>
>>
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3dc4afab-9b9a-4548-8a38-15615a9fb3f3%40apereo.org.

Reply via email to