Configuring stronger encryption

You can configure stronger encryption by using the BCC package.

The Bouncy Castle Crypto (BCC) package is included in your Oracle Endeca Guided Search installation. This package is a Java implementation of cryptographic algorithms and provides stronger encryption than the native JCE implementation. For example, RSA authentication and key exchange is supported for up to 4096-bit keys.

The package also contains the BCC provider, which is a JCE-compliant provider that is a wrapper built on top of the BCC light-weight API.

Before you integrate the BCC package, make sure that you are running Java 2 SDK version 1.4.x or later. Earlier versions of the Java 2 SDK do not support the stronger cryptographic capabilities of the BCC package.

To integrate the BCC package:

  1. Find the BCC JAR file, which should have a name similar to the following: bcprov-jdk14-121.jar (the exact name of the file depends on its version number).
    Note: This file is shipped in the $ENDECA_ROOT/lib/java directory on UNIX (%ENDECA_ROOT%\lib\java on Windows). You may notice that the version of the JDK that is shipped with the Platform Services package is higher than the version indicated in this file's name. It is important to note that this file is compatible with the later version of the JDK with which it is shipped.
  2. Copy the BCC JAR file to the [JAVA_HOME]/jre/lib/ext directory.
  3. The JCE policy files shipped with the Java 2 SDK allow strong but limited cryptography to be used. To use the stronger encryption, replace them with the JCE Unlimited Strength Jurisdiction Policy Files, which you can download from the java.sun.com site (e.g., http://java.sun.com/j2se/1.4.2/download.html).
  4. Unpack the JCE Unlimited Strength policy files (named local_policy.jar and US_export_policy.jar) and copy them to the [JAVA_HOME]/jre/lib/security directory. Note that they will be overwriting files of the same name, so you may want to first move the original files to another location.
  5. Edit the [JAVA_HOME]/jre/lib/security/java.security file to add the Bouncy Castle provider. To add the Bouncy Castle provider to the java.security file, use an entry with this format (where n is the preference order of the provider): 
    security.provider.n=org.bouncycastle.jce.provider.BouncyCastleProvider
    It is recommended that you not put the Bouncy Castle provider as the first name in the preference order. It is up to you to determine the actual order of the providers, but the following example is one recommended ordering.

Example of ordering providers

# List of providers and their preference orders
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.crypto.provider.SunJCE
security.provider.3=sun.security.jgss.SunProvider
security.provider.4=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.5=com.sun.net.ssl.internal.ssl.Provider