Sameer, thank you for you test report. That explains everything.
Oracle JDK 9 should have unlimited strength cryptography by default and require no special configuration after installation.
It is also reported that Oracle JDK 8u162 will have unlimited strength cryptography by default and will likewise require no special configuration. I think a JDK issue records this as a scheduled change, but check the release notes for 8u162 to confirm that the change was actually made.
Kind regards, Ben. On 07/12/17 23:05, Abdool, Sameer wrote:
Ben, "check for the correct directory" was your suggestion. So I did. The folder structure has changed from 8u144 to 8u151 8u144 you would normally copy the policy files to %JAVAHOME%\lib\security - No other subfolders located there 8u151: folder structure has changed to %JAVAHOME%\lib\security\policy. Within it " 2 more folders named Limited & Unlimited. The JAR files are there. I've checked both folder structures to confirm it. # The policy files are jar files organized into subdirectories of # <java-home>/lib/security/policy. Each directory contains a complete # set of policy files. # # The "crypto.policy" Security property controls the directory selection, # and thus the effective cryptographic policy. # # The default set of directories is: # # limited | unlimited # # however other directories can be created and configured. # # To support older JDK Update releases, the crypto.policy property # is not defined by default. When the property is not defined, an # update release binary aware of the new property will use the following # logic to decide what crypto policy files get used : # # * If the US_export_policy.jar and local_policy.jar files are located # in the (legacy) <java-home>/lib/security directory, then the rules # embedded in those jar files will be used. This helps preserve compatibility # for users upgrading from an older installation. # # * If crypto.policy is not defined and no such jar files are present in # the legacy locations, then the JDK will use the limited settings # (equivalent to crypto.policy=limited) # # Please see the JCA documentation for additional information on these # files and formats. #crypto.policy=unlimited Test: 1) Commented out crypo.policy=unlimited in java.security file. 2) Re-overwritten the policy JAR files located within the "Unlimited" folder using files taken from the following link: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html 3) Re-started Apache 4) Log in to Geoserver and I get the following: No strong cryptography available, installation of the unrestricted policy jar files is recommended I think it's working for others because they still placed the jar files in the old location: %JAVAHOME%\lib\security (Correct way) According to the notes it will still be honoured and Geoserver documentation still applicable. Step 2 was my mistake and I assumed it was a logical approach. So from now on I will only edit the java.security file and enable unlimited crypto policy there. Safest and more hassle-free option. (Do you agree?) I have a feeling that with new updates coming up, i.e. 8u152 (latest) and JRE 1.9, folders structure will/might change again and so will the steps to be taken. Ben, thanks again! I'll put this down to "user error". Kind Regards, Sameer From: Abdool, Sameer [mailto:sameer.abd...@molevalley.gov.uk] Sent: 06 December 2017 22:23 To: 'geoserver-users@lists.sourceforge.net' <geoserver-users@lists.sourceforge.net>; Ben Caradoc-Davies <b...@transient.nz> Subject: Re: [Geoserver-users] Unlimited strength cryptography in Oracle JDK 8u151 and later Ben, I will check it and report back again. I've used the same policy jar files before without hiccups. I also re-downloaded them from Oracle site as well just in case and copied them over. I will also look into the local control access but then again I'm logged on as Domain Admin and no GPO restrictions applied. Good suggestions though. Thanks, Sameer Get Outlook for Android<https://aka.ms/ghei36> From: Ben Caradoc-Davies Sent: Wednesday, 6 December, 22:10 Subject: Re: [Geoserver-users] Unlimited strength cryptography in Oracle JDK 8u151 and later To: Abdool, Sameer, 'geoserver-users@lists.sourceforge.net' Sameer, I am pleased that your GeoServer is now working. We have a report from Kristian of the policy files working for 32-bit Oracle JRE 8u151 on Windows. I wonder why your policy files did not work? Could there be some local access control issue? Please check that they are in the correct directory. The checksums might be of interest. The ones I extracted from jce_policy-8.zip have: $ md5sum UnlimitedJCEPolicyJDK8/*.jar ef6e8eae7d1876d7f05d765d2c2e0529 UnlimitedJCEPolicyJDK8/US_export_policy.jar dabfcb23d7bf9bf5a201c3f6ea9bfb2c UnlimitedJCEPolicyJDK8/local_policy.jar Kind regards, Ben. On 06/12/17 21:28, Abdool, Sameer wrote: > Hello Ben, > > I've uncommented line 826 from the java.security file to show: crypto.policy=unlimited > PS: Unlimited JCE Policy jar files were already present (files modified date 20/12/2013) > > My Geoserver is now back on! > Thank you very much for pointing me to the right direction and help me resolve this issue. > That was spot on. > > If it works for others and not for me then I'll be eager to know the specification of their machine/VM. > The only behaviour causing this issue for me was a centralised deployment of Java Update to my VM from ManageEngine Desktop Central. > So nothing major. > > Thanks, > Sameer -- Ben Caradoc-Davies Director Transient Software Limited New Zealand ________________________ This email was scanned by our anti-virus solution.
-- Ben Caradoc-Davies <b...@transient.nz> Director Transient Software Limited <https://transient.nz/> New Zealand ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
