Configuring stronger encryption

You can configure stronger encryption by using the BCC package.

The Bouncy Castle Crypto (BCC) package is included in your Endeca Information Access Platform installation. This package is a Java implementation of cryptographic algorithms and provides stronger encryption than the native JCE implementation. For example, RSA authentication and key exchange is supported for up to 4096-bit keys.

The package also contains the BCC provider, which is a JCE-compliant provider that is a wrapper built on top of the BCC light-weight API.

Before you integrate the BCC package, make sure that you are running Java 2 SDK version 1.4.x or later. Earlier versions of the Java 2 SDK do not support the stronger cryptographic capabilities of the BCC package.

To integrate the BCC package:

  1. Find the BCC JAR file, which should have a name like bcprov-jdk14-121.jar (the exact name of the file depends on its version number). The file is shipped in the $ENDECA_ROOT/lib/java directory on UNIX (%ENDECA_ROOT%\lib\java on Windows).
  2. Copy the BCC JAR file to the [JAVA_HOME]/jre/lib/ext directory.
  3. The JCE policy files shipped with the Java 2 SDK allow strong but limited cryptography to be used. To use the stronger encryption, replace them with the JCE Unlimited Strength Jurisdiction Policy Files, which you can download from the java.sun.com site (e.g., http://java.sun.com/j2se/1.4.2/download.html).
  4. Unpack the JCE Unlimited Strength policy files (named local_policy.jar and US_export_policy.jar) and copy them to the [JAVA_HOME]/jre/lib/security directory. Note that they will be overwriting files of the same name, so you may want to first move the original files to another location.
  5. Edit the [JAVA_HOME]/jre/lib/security/java.security file to add the Bouncy Castle provider. To add the Bouncy Castle provider to the java.security file, use an entry with this format (where n is the preference order of the provider): 
    security.provider.n=org.bouncycastle.jce.provider.BouncyCastleProvider
    It is recommended that you not put the Bouncy Castle provider as the first name in the preference order. It is up to you to determine the actual order of the providers, but the following example is one recommended ordering.

Example of ordering providers

# List of providers and their preference orders
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.crypto.provider.SunJCE
security.provider.3=sun.security.jgss.SunProvider
security.provider.4=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.5=com.sun.net.ssl.internal.ssl.Provider