Packaging the Sun Java JCE Policy

These instructions only apply if one needs to run the Oracle (previously Sun) distribution of Java. OpenJDK does not require special handling of the JCE policy files since it's open source and therefore not export-restricted in the United States. If you can run OpenJDK, do so rather than worrying about these details.

For people who still have to run the Oracle or Sun Java JDK, there are packages available in Debian non-free through squeeze. However, those packages only include export-strength encryption, which means they cannot do 256-bit AES. In order to enable export-strength encryption, you have to download a separate ZIP file from Oracle's web site and replace a couple of files that come with the JDK. The problem with doing this with a Debian package is that these changes are lost each time the package is upgraded.

This page documents how I packaged the Unlimited Strength Jurisdiction policy files so that they would continue working with upgrades to the Debian package.

Prerequisites

You will need the ZIP file downloaded from Oracle. You can get this by going to the Java SE download page (no direct link because Oracle keeps changing the layout of their web site). The policy files are available in the Additional Resources section at the bottom of the page and are titled "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6".

This process was tested with version 6 of the JDK, but should also work with version 7.

You will also need the Debian packaging files. From the link below you can download a tarball of the debian directory of the package. This doesn't contain any Sun or Oracle software, just files copyrighted by Stanford University and released under the Expat / MIT license (similar to a two-clause BSD license).

These instructions assume familiarity with the general process of building Debian packages.

Procedure

  1. Create a directory named sun-java6-jce-policy and put the ZIP file downloaded from Oracle (named jce_policy-6.zip) in that directory. Create sun-java6-jce-policy-6.orig.tar.gz from that directory and put it in the parent directory.

  2. Unpack the Debian packaging tarball inside the sun-java6-jce-policy directory created above. This will create a debian directory.

  3. Build the package with the packaging build tool of your choice.

You will get a sun-java6-jce-policy package, which you can upload to your local repository, install manually, or however you handle locally-created packages.

How It Works

There are two problems this package has to solve. One is that the directory name into which the files need to be installed varies for each version of the Oracle or Sun JDK. The other is that they are new copies of files that come with the JDK, so normally upgrading would just replace them, if one solved the problem of the versioned directories.

This package instead installs the policy files into a separate directory, /usr/lib/jvm/jce-policy. It then diverts the files that come with the JDK and replaces them with symlinks to the files that come with this package. Finally, it registers interest to changes in the default version link created by the Sun/Oracle JDK packages using a trigger, and uses that trigger to remove obsolete diversions and set up diversions for newly-installed versions of the JDK.

Notes

I have only tested this with the Java 6 JDK, since we hope to be able to switch entirely to OpenJDK for Java 7. However, assuming that the JCE policy file for Java 7 works the same way, a similar approach to packaging should be possible. However, only Java 6 (and 5) are already packaged for Debian; for later versions, Debian is also supporting only OpenJDK. If you're manually installing Java, this is no longer as interesting.

I'm making these instructions available rather than prebuilt packages because the files themselves are not redistributable. You can download them directly, but the license says that you can only use them internally. I don't know if they're accessible from outside the United States. (Possibly not, since they exist due to US export control regulations.)

Last spun 2013-07-01 from thread modified 2013-01-04