Java: The Crypto Frontier!

Update: It appears that Java 9 enables all the below by default now. This is really only useful for Java 8 Release 151.

If you’ve ever had to deploy Java to macOS, you’ll probably have noticed it’s about as admin friendly as being vigorously rubbed down with sandpaper while standing in a vat of warm marmalade being made to confess that you love Satan not very admin friendly at all. Downright hostile in places.

The big issue is today’s modern IT world relies on strong crypto in order to remain compliant with security, laws of various countries, avoid being sued by users data being sniffed and the like. So Java from day one has by default disabled strong crypto and any Jamf admin worth their salt has dealt with the repercussions ever since.

This is probably historically due to the legal issues over the release of Pretty Good Privacy back in 1993 involving the USA’s Arms Export Control Act. (tl;dr … strong crypto used to be considered legally a “munition”.)

In the past what you did to re-enable strong crypto was to download and manually install the Java Cryptographic Extensions files. You got a bunch of files in a zip archive and copied them over the existing installed files. This is what you did on macOS, Linux and Windows too.

Of course, and without any fanfare, this has now changed. (Note: I only found this out after being tipped by a Jamf employee who shall remain nameless, unless he wants the shoutout?).

Oracle in Java 8 151 has made a change where the strong crypto is installed with Java but is disabled by default.

The good news is you no longer have to hand build JCE packages. The bad news is you now have to fool around with Java configuration files to achieve the same end.

The better news is this can be scripted. There is a single line in the java.security file that is commented out with a # by default, so removing that enables the good stuff. The issue is there can be more than one java.security file present on macOS (both the JVM and the Internet Plugin) so realising that, I now run the following after deploying the Java pkg.

#!/bin/bash

# Script to finalise a Java JDK installation

# First enable Java Cryptographic Extensions by altering all the java.security files we can find.
# JVM and Internet Plugin
OIFS=$IFS
IFS=$'\n'
for i in `/usr/bin/find /Library -name "java.security"`;
do
/usr/bin/sed -i .bak 's/#crypto.policy=unlimited/crypto.policy=unlimited/' $i
done
IFS=$OIFS

# Disable the auto updates
/usr/bin/defaults write /Library/Preferences/com.oracle.java.Java-Updater JavaAutoUpdateEnabled -bool false
Obviously I’m disabling the auto updates with the last line, so you don’t have to include that in your implementation. (I tried this with a configuration profile and it doesn’t like that.)