Skip to main content
Code42 Support

Configure your Code42 server to accept longer encryption keys

Applies to:
  • Code42 CrashPlan (previously CrashPlan PROe)

Overview

This tutorial explains how to configure your Code42 server to accept SSL and single sign-on (SSO) encryption keys that exceed the Java import limits on cryptographic algorithms. To remove the limitations on encryption key length, download and install Oracle’s Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files, as outlined below.

Installing the JCE may be necessary if you are:

  • Configuring SSO or SSL in your Code42 environment for the first time.
  • Upgrading Java on a Code42 server on which you previously installed the JCE (because upgrading Java removes the JCE update).

SSO identity provider encryption keys

If your Code42 environment is configured to authenticate users with an SSO identity provider that uses encryption keys that exceed the Java import limits on cryptographic algorithms, such as Microsoft AD FS, you may need to install the JCE to allow users to sign in.

When a user fails to sign in due to the length of the SSO identity provider's encryption key, the master server logs the following error:

[11.25.14 07:24:19.315 ERROR   jetty-web-3057       org.opensaml.xml.encryption.Decrypter   ] Error decrypting the encrypted data element
org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size
Original Exception was java.security.InvalidKeyException: Illegal key size

Considerations

  • The Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files are not available for download in some countries.
  • The JCE files must be installed in the Java directory on your master server's file system. This article assumes that your master server uses one of these Java configurations:
    • Linux: Java installed by the Code42 server install script
    • Windows: Java bundled with the Code42 server installer
    • OS X: Java bundled with the Code42 server installer
  • You must have administrative access to the file system of the server that hosts your master server to install the JCE files.
  • Whenever you upgrade Java, the JCE is overwritten and must be installed again.
Managed Private Cloud deployments
You cannot access the file system of a managed appliance. For assistance installing the JCE files, contact your PRO Services representative.

Step 1: Identify your Java version

Determine which Oracle Java version is installed on the host server.

  1. On your master server, navigate to your logs folder.
    • Linux: /var/log/proserver
      Applies to Code42 servers installed as root on Ubuntu
    • Windows: C:\Program Files\CrashPlan PROe Server\logs
    • OS X: /Library/Logs/PROServer
  2. Open app.log in a text editor.
  3. The Java virtual machine version is displayed. For example:
    JVM = Java(TM) SE Runtime Environment (1.7.0_80-b15, 64-bit)
    

Step 2: Install the Java cryptography extension

  1. Download the Java Cryptography Extension (JCE) that matches your Java version:
  2. Extract the downloaded file.
  3. Place the local_policy.jar and US_export_policy.jar files on your Code42 server in the appropriate directory:
    • Linux:
      /opt/proserver/jre/lib/security
    • Windows:
      C:\Program Files\CrashPlan PROe Server\jre\lib\security
    • OS X:
      /Applications/PROServer.app/Contents/Resources/Java/jre/lib/security
  4. (Linux and OS X) Make sure the ownership and permissions for the local_policy.jar and US_export_policy.jar files match the parent directory.
  5. Restart the Code42 server service.