5.4.2. Kerberos and Unlimited Strength Policy has been edited by Emmanuel Lécharny (Nov 19, 2008).

(View changes)

Work in progress

This site is in the process of being reviewed and updated.


Due to export control restrictions, JDK 5.0 environments do not ship with support for AES-256 enabled. Kerberos uses AES-256 in the 'aes256-cts-hmac-sha1-96' encryption type. To enable AES-256, you must download "unlimited strength" policy JAR files for your JRE. Policy JAR files are signed by the JRE vendor so you must download policy JAR files for Sun, IBM, etc. separately. Also, policy files may be different for each platform, such as i386, Solaris, or HP.


  1. Download the unlimited strength policy JAR files.
    Vendor Link Details
    IBM IBM Security information Scroll down to "IBM SDK Policy files." The same files are used for the Version 1.4 and Version 5 SDKs.
    Sun Java SE Downloads - Previous Release - JDK 5 Scroll down to "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 5.0" under "Other Downloads"
  2. Extract the unlimited strength policy JAR files.
    File Description
    local_policy.jar Unlimited strength local policy file
    US_export_policy.jar Unlimited strength US export policy file
  3. Install the unlimited strength policy JAR files by copying them to the standard location. <jre-home> refers to the directory where the J2SE Runtime Environment (JRE) was installed. Adjust pathname separators for your environment.
    Standard Location Platform
    <jre-home>/lib/security Solaris
    <jre-home>\lib\security Win32
  4. Optionally, create subfolders in <jre-home>/lib/security, named, for example, "limited" and "unlimited" so you can switch between policy files easily, by copying the policy JAR files from one of the subfolders to the <jre-home>/lib/security directory.

Powered by Atlassian Confluence (Version: 2.2.9 Build:#527 Sep 07, 2006) - Bug/feature request

Unsubscribe or edit your notifications preferences