Symantec Access Management

CLI Process:  How to check the JDK's JCE for unlimited encryption

  • 1.  CLI Process:  How to check the JDK's JCE for unlimited encryption

    Posted 09-11-2015 05:40 PM

    Hello,

     

    As part of building dev-ops solutions for customers and CA, one of the common base 3rd party components to deploy is the Oracle JDK. 

    To ensure that the Oracle JDK is ready for any encryption level, the corresponding Oracle JCE must be applied to the deployed JDK.

     

    To assist with automating this process and add a validation check, I have the following to offer:

     

    A CLI script  that will install both the x86 and the x84 bit version of a JDK; and copy/replace the updated JCE libraries (bit independent) into the correct library folder.

    After deploying the JCE, I use a process to check that the JCE was successfully applied using a process pulled from GitHub.

    Ref:   https://gist.github.com/fintler/6283751

     

     

     

     

    **** ****

     

    #!/bin/bash

     

    ###############################################################################################

    ##### Shell script to install three (3) packages in the follow order:                      #####

    ##### Java JDK 1.7 b71+ (x86 / x64) , Java JCE Unlimited Encryption Libraries             #####

    ###############################################################################################

    ##### Java JDK 1.7 b71+ (2015/05/12 b79)                                                  #####

    ##### http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html #####

    ##### Java JCE 1.7                                                                        #####

    ##### http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html  #####

    ###############################################################################################

    STARTTIME=`date`

    echo ""

    echo $STARTTIME

     

    MEDIA_HOME=/opt/CA/media/iso/jdk

    INSTALL_PATH=/opt/CA/jdk

    JDK_VERSION=jdk1.7.0_71

    JDK_GZ_NAME_X86=jdk-7u71-linux-i586.gz

    JDK_GZ_NAME_X64=jdk-7u71-linux-x64.gz

     

    mkdir -p "$INSTALL_PATH"

     

    echo "################################################"

    echo "### Clean up prior installation of x86 JDK  ###"

    cd $MEDIA_HOME

    rm -rf  "$MEDIA_HOME/$JDK_VERSION"

    rm -rf  "$INSTALL_PATH/$JDK_VERSION"_x86

    tar -zxvf "$MEDIA_HOME/$JDK_GZ_NAME_X86"   > /dev/null 2>&1

    mv "$MEDIA_HOME/$JDK_VERSION" "$INSTALL_PATH/$JDK_VERSION"_x86

     

     

    echo "################################################"

    echo "### Clean up prior installation of x64 JDK ###"

    rm -rf  "$MEDIA_HOME/$JDK_VERSION"

    rm -rf  "$INSTALL_PATH/$JDK_VERSION"_x64

    tar -zxvf "$MEDIA_HOME/$JDK_GZ_NAME_X64"  > /dev/null 2>&1

    mv "$MEDIA_HOME/$JDK_VERSION" "$INSTALL_PATH/$JDK_VERSION"_x64

     

     

    echo "################################################"

    echo "### Check status of JDK 7 x86 ###"

    file "$INSTALL_PATH/$JDK_VERSION"_x86/bin/java

    echo "################################################"

    echo "### Check status of JDK 7 x64 ###"

    file "$INSTALL_PATH/$JDK_VERSION"_x64/bin/java

     

     

    echo "################################################"

    echo "### Update JCE libraries for JDK 7 x86 and x64 ###"

    cd $MEDIA_HOME/jce_7

    cp -r -p *.jar "$INSTALL_PATH/$JDK_VERSION"_x86/jre/lib/security

    cp -r -p *.jar "$INSTALL_PATH/$JDK_VERSION"_x64/jre/lib/security

     

     

    echo "################################################"

    echo "### JCE Test (viewable on console) ###"

    echo "### Check JAVA JCE Encryption for Unlimited Strength ###"

    cat << EOF > $MEDIA_HOME/CipherTest.java

    import javax.crypto.Cipher;

    class CipherTest {

        public static void main(String args[]) {

            try {

                int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");

                if(maxKeyLen < 256) {

                    System.out.println("FAILED: Max key length too small! (" + maxKeyLen + ").");

                } else {

                    System.out.println("PASSED: Max key length OK! (" + maxKeyLen + ").");

                }

            } catch(Exception e) {

                System.out.println("FAILED: No AES found!");

            }

        }

    }

    EOF

     

    cd $MEDIA_HOME

    echo "### JDK x86 Cipher Test with Unlimited JCE ###"

    "$INSTALL_PATH/$JDK_VERSION"_x86/bin/javac  CipherTest.java

    "$INSTALL_PATH/$JDK_VERSION"_x86/bin/java   CipherTest

    echo "################################################"

    echo "### JDK x64 Cipher Test with Unlimited JCE ###"

    "$INSTALL_PATH/$JDK_VERSION"_x64/bin/javac  CipherTest.java

    "$INSTALL_PATH/$JDK_VERSION"_x64/bin/java   CipherTest

     

    chown -R nobody:nobody /opt/CA/jdk

     

    echo "################################################"

    echo "Done with JDK installation"

    echo "Started at $STARTTIME"

    echo "Done at `date`"

    echo "################################################"

    echo ""

     

     

     

     

     

    *********** ****************

     

    Cheers,

     

    A.

     

     

    Edit:  7/28/2016

     

    Useful tools for Dev-Ops / CLI scripts.    Attaching the java examples and how to call them via CLI using JDK javac.

    No need to guess max memory size, let the system tell you what is available.

     

    C:\Program Files\Java\jdk1.8.0_66\bin>javac MaxMemory.java

    C:\Program Files\Java\jdk1.8.0_66\bin>java MaxMemory

    Total Memory: 514850816 (491.0 MiB)

    Max Memory:   7615283200 (7262.5 MiB)

    Free Memory:  506766080 (483.289794921875 MiB)

     

    C:\Program Files\Java\jdk1.8.0_66\bin>javac CipherTest.java

    C:\Program Files\Java\jdk1.8.0_66\bin>java CipherTest

    FAILED: Max key length too small! (128).

     

     

     

     

    Ref:  For MaxMemory.java example

    Maximum Java heap size of a 32-bit JVM on a 64-bit OS - Stack Overflow