Warning: Java update and JCE unlimited strength policy files

Hi,

Today Ubuntu issued an update for OpenJDK (Java). If OpenJDK is updated
it seems that the Ubuntu OpenJDK installer overwrites the JCE unlimited
strength policy files. The Virtual Appliance will restore the JCE
unlimited strength policy after a restart (from a backup copy) but this
is not the case when Djigzo is manually installed using the .deb files
on Ubuntu 8.04.
Newer releases of Ubuntu (and RedHat/CentOS) use an updated version of
OpenJDK which no longer require the JCE unlimited strength policy files
to be installed.

You can check whether the JCE unlimited strength policy is still in
place after upgrading Java by opening Djigzo Web. If there is no warning
about missing "JCE unlimited strength policy" then the policy is still
in place. If not reinstall jce_policy-6.zip (like you did before).

In sum:

if using Ubuntu >= 9.04 or CentOS/RedHat 5.3/5.4 then you do NOT need to
install "JCE unlimited strength policy files"

if using Djigzo Virtual Appliance a restart after upgrade of Java
()openJDK) will automatically reinstall the "JCE unlimited strength
policy files"

if using Ubuntu 8.04 the "JCE unlimited strength policy files" should be
reinstalled after upgrading Java.

Newer releases of Ubuntu use an OpenJDK which no longer require the "JCE
unlimited strength policy files". Once the new Long Term Release (LTS)
of Ubuntu is released Djigzo will use by default the new LTS version.

Kind regards,

Martijn Brinkers

···

--
Djigzo open source email encryption

Hi,

I have attached the JCE policy script that is used by the Virtual
Appliance to restore the JCE policy files.

Note: Only use this script if you manually installed Djigzo on Ubuntu
8.04. You can stop reading if you are using the Virtual Appliance or
are using CentOS/RedHat.

You can use this script if you want Djigzo to restore the installed JCE
policy files after a restart (1) and do not want to manually install the
JCE policy files.

Instructions on using the script:

$ sudo cp djigzo-appliance /etc/init.d/
$ sudo chmod +x /etc/init.d/djigzo-appliance
$ sudo chown root:root /etc/init.d/djigzo-appliance
$ sudo update-rc.d djigzo-appliance defaults 10 30

I will add these instructions to the installation guides.

Kind regards,

Martijn

(1) a restart will start the restore script before restarting Djigzo.

Martijn Brinkers wrote:

···

Hi,

Today Ubuntu issued an update for OpenJDK (Java). If OpenJDK is updated
it seems that the Ubuntu OpenJDK installer overwrites the JCE unlimited
strength policy files. The Virtual Appliance will restore the JCE
unlimited strength policy after a restart (from a backup copy) but this
is not the case when Djigzo is manually installed using the .deb files
on Ubuntu 8.04.
Newer releases of Ubuntu (and RedHat/CentOS) use an updated version of
OpenJDK which no longer require the JCE unlimited strength policy files
to be installed.

You can check whether the JCE unlimited strength policy is still in
place after upgrading Java by opening Djigzo Web. If there is no warning
about missing "JCE unlimited strength policy" then the policy is still
in place. If not reinstall jce_policy-6.zip (like you did before).

In sum:

if using Ubuntu >= 9.04 or CentOS/RedHat 5.3/5.4 then you do NOT need to
install "JCE unlimited strength policy files"

if using Djigzo Virtual Appliance a restart after upgrade of Java
()openJDK) will automatically reinstall the "JCE unlimited strength
policy files"

if using Ubuntu 8.04 the "JCE unlimited strength policy files" should be
reinstalled after upgrading Java.

Newer releases of Ubuntu use an OpenJDK which no longer require the "JCE
unlimited strength policy files". Once the new Long Term Release (LTS)
of Ubuntu is released Djigzo will use by default the new LTS version.

Kind regards,

Martijn Brinkers

--
Djigzo open source email encryption

#!/bin/sh -e

# Copies the Java policy files from backup to the Java lib/security directory
#
# Martijn Brinkers

. /lib/lsb/init-functions

# Include djigzo defaults if available
if [ -f /etc/default/djigzo ] ; then
    . /etc/default/djigzo
fi

if [ ! "$DJIGZO_HOME" ]; then
    DJIGZO_HOME=/usr/share/djigzo
fi

POLICY_BACKUP_DIR="$DJIGZO_HOME"/lib/jcepolicy

copy_policy()
{
    SOURCE=$1
    TARGET=$2

    if [ -f "$SOURCE" ]; then
        # only copy if source and target are different
        if ! cmp "$SOURCE" "$TARGET"; then
            # make sure the policy is not world writable and owned by root
            if [ $(stat -c %G/%U/%a "$SOURCE" )=="root/root/644" ]; then
                log_action_msg "copying $SOURCE to $TARGET"
                cp "$SOURCE" "$TARGET"
            fi
        fi
    fi
    
}

case "$1" in
    start)
        LOCAL_POLICY_NAME="local_policy.jar"
        US_EXPORT_POLICY_NAME="US_export_policy.jar"

        JAVA_SECURITY_DIR=$(dirname $(realpath $(which java)))/../lib/security

        log_action_msg "Using Java security dir "$JAVA_SECURITY_DIR
    
        copy_policy "$POLICY_BACKUP_DIR"/"$LOCAL_POLICY_NAME" "$JAVA_SECURITY_DIR"/"$LOCAL_POLICY_NAME"
        copy_policy "$POLICY_BACKUP_DIR"/"$US_EXPORT_POLICY_NAME" "$JAVA_SECURITY_DIR"/"$US_EXPORT_POLICY_NAME"
    ;;
    stop)
    ;;
    restart)
        $0 stop
        $0 start
    ;;
    
    *)
  log_action_msg "Usage: djigzo-appliance {start|stop}"
  exit 1
    ;;
esac

exit 0

Zitat von Martijn Brinkers <martijn(a)djigzo.com>:

Hi,

Today Ubuntu issued an update for OpenJDK (Java). If OpenJDK is updated
it seems that the Ubuntu OpenJDK installer overwrites the JCE unlimited
strength policy files. The Virtual Appliance will restore the JCE
unlimited strength policy after a restart (from a backup copy) but this
is not the case when Djigzo is manually installed using the .deb files
on Ubuntu 8.04.
Newer releases of Ubuntu (and RedHat/CentOS) use an updated version of
OpenJDK which no longer require the JCE unlimited strength policy files
to be installed.

You can check whether the JCE unlimited strength policy is still in
place after upgrading Java by opening Djigzo Web. If there is no warning
about missing "JCE unlimited strength policy" then the policy is still
in place. If not reinstall jce_policy-6.zip (like you did before).

Many thanks for the warning. In fact i have installed the update and
not yet checked about the Policy....

In sum:

if using Ubuntu >= 9.04 or CentOS/RedHat 5.3/5.4 then you do NOT need to
install "JCE unlimited strength policy files"

if using Djigzo Virtual Appliance a restart after upgrade of Java
()openJDK) will automatically reinstall the "JCE unlimited strength
policy files"

if using Ubuntu 8.04 the "JCE unlimited strength policy files" should be
reinstalled after upgrading Java.

Newer releases of Ubuntu use an OpenJDK which no longer require the "JCE
unlimited strength policy files". Once the new Long Term Release (LTS)
of Ubuntu is released Djigzo will use by default the new LTS version.

Does this mean .deb packages are only released for the new LTS version
further on?? As we do not always upgrade immediately we would like to
see support for 8.04 LTS a little bit longer if possible. After all
that's the advantage of LTS...

Regards

Andreas

Does this mean .deb packages are only released for the new LTS version

> further on?? As we do not always upgrade immediately we would like to
> see support for 8.04 LTS a little bit longer if possible. After all
> that's the advantage of LTS...

No, I will make sure that 8.04 will be supported as long as Ubuntu will
support 8.04 (so that should be at least until 2013 I belief). I
personally use 8.04 on some of my own servers and I only upgrade if I
really have to.

What I should have said is that once the new LTS release (10.04) is out
the Virtual Appliance will probably be based on the new LTS release. Not
immediately but after some time once we know that 10.04 is stable
enough. The reason we will use the new LTS is that the new LTS will
again be supported for 5 years.

Kind regards,

Martijn Brinkers

lst_hoe02(a)kwsoft.de wrote:

···

_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users

------------------------------------------------------------------------

Subject:
Re: Warning: Java update and JCE unlimited strength
policy files
From:
lst_hoe02(a)kwsoft.de
Date:
Wed, 07 Apr 2010 12:05:01 +0200
To:
users(a)lists.djigzo.com

To:
users(a)lists.djigzo.com

Zitat von Martijn Brinkers <martijn(a)djigzo.com>:

Hi,

Today Ubuntu issued an update for OpenJDK (Java). If OpenJDK is updated
it seems that the Ubuntu OpenJDK installer overwrites the JCE unlimited
strength policy files. The Virtual Appliance will restore the JCE
unlimited strength policy after a restart (from a backup copy) but this
is not the case when Djigzo is manually installed using the .deb files
on Ubuntu 8.04.
Newer releases of Ubuntu (and RedHat/CentOS) use an updated version of
OpenJDK which no longer require the JCE unlimited strength policy files
to be installed.

You can check whether the JCE unlimited strength policy is still in
place after upgrading Java by opening Djigzo Web. If there is no warning
about missing "JCE unlimited strength policy" then the policy is still
in place. If not reinstall jce_policy-6.zip (like you did before).

Many thanks for the warning. In fact i have installed the update and not
yet checked about the Policy....

In sum:

if using Ubuntu >= 9.04 or CentOS/RedHat 5.3/5.4 then you do NOT need to
install "JCE unlimited strength policy files"

if using Djigzo Virtual Appliance a restart after upgrade of Java
()openJDK) will automatically reinstall the "JCE unlimited strength
policy files"

if using Ubuntu 8.04 the "JCE unlimited strength policy files" should be
reinstalled after upgrading Java.

Newer releases of Ubuntu use an OpenJDK which no longer require the "JCE
unlimited strength policy files". Once the new Long Term Release (LTS)
of Ubuntu is released Djigzo will use by default the new LTS version.

Does this mean .deb packages are only released for the new LTS version
further on?? As we do not always upgrade immediately we would like to
see support for 8.04 LTS a little bit longer if possible. After all
that's the advantage of LTS...

Regards

Andreas

--
Djigzo open source email encryption