AES 256-bit encryption and the IBM JRE in configuring Kerberos/SPNEGO

By default, ELM applications that are based on Java technology include an IBM® JRE that does not support Advanced Encryption Standard 256-bit (AES-256) encryption.

The United States export administration regulations for strong cryptography prohibit including such software support. Administrators can enhance an IBM JRE to work with AES-256 encryption by obtaining the IBM Java Cryptography Encryption (JCE) unrestricted policy files from IBM Unrestricted SDK JCE policy files.
Note: You must have a universal IBMid to download the files. If you do not have an IBMid, click the registration link on the page.
Replace the JAR files in the JRE_HOME/lib/security directory on the Java client computers with the downloaded files with the same name, where JRE_HOME is the IBM JRE installation directory.
Important: The Engineering Workflow Management .NET clients (Engineering Workflow Management client for Microsoft Visual Studio IDE, Engineering Workflow Management Windows Explorer integration, and Engineering Workflow Management MS-SCCI Provider) include their own version of the IBM JRE that must be updated as well. Replace the JAR files in the EWM_.NET_Client_Install_Dir\3rd Party\jre directory on the Microsoft .NET client computers with the downloaded files with the same name, where EWM_.NET_Client_Install_Dir is the installation directory for the Microsoft .NET clients.

By default, Microsoft Active Directory tries to use AES-256 encryption. Client computers that do not support AES-256 encryption might cause problems in a Kerberos environment.

You can prevent Active Directory and client computers from using AES-256 encryption. Consider this option if a policy change in the IBM JRE is not wanted. For more information, see Enforcing encryption algorithms on Microsoft Active Directory domain clients.