AES 256-bit encryption and the IBM JRE in configuring Kerberos/SPNEGO
By default, ELM applications that are based on Java technology include an IBM® JRE that does not support Advanced Encryption Standard 256-bit (AES-256) encryption.
The United States export administration regulations for strong cryptography prohibit including
such software support. Administrators can enhance an IBM JRE to work
with AES-256 encryption by obtaining the IBM Java
Cryptography Encryption (JCE) unrestricted policy files from IBM Unrestricted SDK JCE policy files.
Note: You must have a
universal IBMid to download the files. If you do not have an IBMid, click the registration link on
the page.
Replace the JAR files in the JRE_HOME/lib/security
directory on the Java client computers with the downloaded files with the same name, where
JRE_HOME is the IBM JRE
installation directory.
Important: The Engineering Workflow Management .NET
clients (Engineering Workflow Management client for
Microsoft Visual Studio IDE, Engineering Workflow Management Windows
Explorer integration, and Engineering Workflow Management MS-SCCI
Provider) include their own version of the IBM JRE that must
be updated as well. Replace the JAR files in the
EWM_.NET_Client_Install_Dir\3rd Party\jre directory on the
Microsoft .NET client computers with the downloaded files with the same name, where
EWM_.NET_Client_Install_Dir is the installation directory
for the Microsoft .NET clients.
By default, Microsoft Active Directory tries to use AES-256 encryption. Client computers that do not support AES-256 encryption might cause problems in a Kerberos environment.
You can prevent Active Directory and client computers from using AES-256 encryption. Consider this option if a policy change in the IBM JRE is not wanted. For more information, see Enforcing encryption algorithms on Microsoft Active Directory domain clients.