4

I try to append security properties to java.security. Hence I add a property "java.security.properties" specifying the file to be appended.

I checked that security.overridePropertiesFile is set to true.

For some reason the changes to the security policy are not applied. If I change the file "java.security" directly everything works fine.

Either the file cannot be found or the content of the file is not correct. I do not get any error message about the location. I tried absolute, relativ paths. The content of the file is the following (one line):

jdk.tls.disabledAlgorithms=ECDH, DH, RC4, DES, MD5withRSA, 3DES_EDE_CBC, DESede, DES, anon, NULL

I guess there is something wrong with the path but don't know since there are no logs about it. Couln't find good information about the path though. All examples are relativ paths which do not work either for me.

I am using JDK11.

Lao Tse
  • 171
  • 3
  • 12

1 Answers1

5

Try running your application with -Djava.security.debug=properties on the command line. If there is an issue loading the file, you should get a message such as "unable to load security properties from <filename>" with an exception stack trace.

Also, you should set the java.security.properties system property on the command line if possible. If not, it should be set as early as possible in your code; otherwise depending on what the application does, it may read and cache the values of security properties from the java.security file before it loads your properties file.

Sean Mullan
  • 139
  • 3
  • Great, thanks for the tip! I see now errors and get why this is not working – Lao Tse Dec 17 '20 at 12:20
  • For some reason the properties are not overwritten. I copied the original java.security to the new location and changed a setting but this is not working. I know now for sure that this is working because the log says that it overwrites something: ```properties: reading security properties file: file``` and: ```properties: overriding other security properties files!``` – Lao Tse Dec 17 '20 at 15:57
  • Thanks @Sean Mullan, -Djava.security.debug=properties is very useful! My properties is overwrite by redhat system: "properties: reading security properties file: file:/tmp/2/java-security-overwrite.properties properties: reading system security properties file /etc/crypto-policies/back-ends/java.config" – Leon Chen Oct 22 '21 at 06:25
  • @LeonChen , How you overcome the issue of properties being overridden by system security properties? Also we don't see the list of properties read from our custom java.security file, is that the case with your env as well ? I could see the following properties: overriding other security properties files! properties: reading security properties file: file://java.security – Prabha Mar 31 '22 at 01:43
  • @Prabha: My case is, I have added the JVM option -Djava.security.properties=somefile, but it worked in some VMs, but not worked in other VMs. After adding -Djava.security.debug=properties, I know the reason, so I modified /etc/crypto-policies/back-ends/java.config directly. – Leon Chen Mar 31 '22 at 05:36