In java platform documentation http://www.oracle.com/technetwork/java/javase/jrereadme-182762.html. Regarding the comment about
/lib/security/local_policy.jar /li
Does every JDK bundle comes with local_policy.jar and US_export_policy.jar ?
yup. JCE has been integrated into the Java 2 SDK since the 1.4 release.
What is the limitation in default local_policy.jar and US_export_policy.jar. Is it the key size ?
Yes it is the key size. I thing more than 128 bit is not allowed. You can check the maximum size of the algorithm using int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");
If I need to use 128 bit keys does it required to go for Unlimited Strength Java Cryptography Extension
For 128 bit key encryption I dont think you need Unlimited Strength Java Cryptography Extension jars. Default ones should work just fine.
Is there a way I can keep these two jars in external path and load it. Because I have more 50 servers rather than coping in each JDK I would prefer to maintain it in a central place.
As mentioned above this scenario should not occur if you are using 128 bit key for encryption but if you are using more lengthy key (Eg 256) you will need to get unlimited strength jars and replace them in $JAVA_HOME/jre/lib/security
. As it is in the JDK/JRE itself you cannot make it centralized not in case of distributed servers. You will need to replace it on each of your servers.
Refer oracles reference guide.
Also if you don't want to do this you can refer to following thread for alternatives -
How to avoid installing “Unlimited Strength” JCE policy files when deploying an application?
Reflection is user in the thread as a work around. Though I would not recommend it you can take a look at it.
I have summarized everything in a post. You can refer that too -
How to install Java Cryptography Extension (JCE) unlimited strength jurisdiction policy files