...
- To support additional cryptographic algorithms used by the IdP, download and install the Bouncy Castle JCE jar file (http://polydistortion.net/bc/index.html) in the lib/ext directory of the JRE (/usr/java/latest/jre/lib/ext/). For example:
(Replace the file version number as needed).No Format # cd /usr/java/latest/jre/lib/ext # cp /path/to/bcprov-jdk16-145.jar .
Add it as a provider in in the JRE's lib/security/java.security, e.g.:
(Replace 9 with the next sequential provider number as needed).No Format security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider
- We want to ensure that DNS lookups are not cached indefinitely. Set the networkaddress.cache.ttl property in java.security accordingly:
No Format networkaddress.cache.ttl=30
- To support use of crypto key sizes larger than 2048 bits, we also add the Unlimited Strength Security Policy to the JVM. Download jce_policy-6.zip from the locker downloads directory, or from Sun (http://java.sun.com/javase/downloads/index.jsp,
Other Downloadssection at the bottom). Unzip the policy zip file and copy local_policy.jar and US_export_policy.jar into the JRE's lib/security directory (replacing the versions installed from the JDK RPM).No Format # cd /tmp # unzip /path/to/jce_policy-6.zip # cd jce # cp *.jar /usr/java/latest/jre/lib/security/
...