Additional libraries needed for SFTP ciphers

If you are planning to use the non-default ciphers that are included as part of MFT Server SFTP service (or any service that uses encryption for that matter), then you may need to install the JCE Unlimited Strength Jurisdiction Policy Files distributed by Oracle.

 

The default ciphers that are supported by the SFTP service include:

 

  • 3des-cbc

  • 3des-ctr

  • blowfish-cbc

  • blowfish-ctr

  • twofish128-cbc

  • twofish128-ctr

  • twofish192-cbc

  • twofish192-ctr

  • twofish-cbc

  • twofish256-cbc

  • twofish256-ctr

  • aes128-cbc

  • aes128-ctr

  • aes192-cbc

  • aes192-ctr

  • aes256-cbc

  • aes256-ctr

  • serpent128-cbc

  • serpent128-ctr

  • serpent192-cbc

  • serpent192-ctr

  • serpent256-cbc

  • serpent256-ctr

  • idea-cbc

  • idea-ctr

  • cast128-cbc

  • cast128-ctr

  • arcfour

  • arcfour128

  • arcfour256

 

If you are only using the default enabled ciphers then installing the Unlimited Strength Jurisdiction Policy Files is not necessary.

 

Examples of non-default ciphers that require installing the Unlimited Strength Jurisdiction Policy Files include but are not limited to aes, twofish, serpent, idea and cast.

 

Due to export restrictions, the version of the policy files bundled by default with older versions of the JDK allow "strong" but limited cryptography to be used.  The "unlimited strength" policy files contain no restrictions on the cryptographic strengths.

 

Download Unlimited Strength Jurisdiction Policy Files

 

As indicated in the Oracle website, JDK 9 and later already ship with, and use by default, the unlimited policy files. Policy files for JDK 8 are accessible from the link below.

 

http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html (JVM 1.8)

 

Installation

 

On Windows

 

  1. Determine the location of the JVM/JDK you are using by opening the .install4j\inst_jre.cfg file located in your MFT Server installation directory.  This  file will contain the path to the JRE used when running MFT Server.

     

    Example: c:\program files\java\jre

     

  2. Extract the contents of the Unlimited Strength Jurisdiction Policy Files to a temporary directory.

     

  3. Copy the local_policy.jar and US_export_policy.jar files extracted in the previous step to the lib\security directory of your JRE making sure to backup previous versions of these jar files should you decide to revert back to the previous installation.

     

    Example: c:\program files\java\jre\lib\security

     

  4. Restart both the MFT Server Service and MFT Server Manager.

 

On Linux

 

  1. Determine the location of the JVM/JDK you are using. One way to do this would be to:

     

    • Execute the command: ps -efwww | grep java;

    • Find the MFT Server process; and then

    • FInd the Java executable that is running the MFT Server process. This will give you an idea where the JVM/JDK in question is located. Please refer to the example image below:

 

clip0271

 

In the example, the JRE could be located at: /opt/java/jdk1.8.0_60/jre

 

  1. Extract the contents of the Unlimited Strength Jurisdiction Policy Files to a temporary directory.

     

  2. Copy the local_policy.jar and US_export_policy.jar files extracted in the previous step to the lib/security directory of your JRE making sure to backup previous versions of these jar files should you decide to revert back to the previous installation.

     

    Example: /opt/java/jdk1.8.0_60/jre/lib/security

     

  3. Restart both the MFT Server Service and MFT Server Manager.