SDK Security policy files

The IBM SDK provides both limited and unlimited strength JCE jurisdiction policy files. You can control which policy files to use.

Policy files are used by the SecurityManager class to grant access to Java permissions. When you run a Java application with a security manager, if access to a resource is required but is not defined by a policy file, access is denied.

You can use a policy file to customize the cryptographic key strength that you require. This flexibility is useful because import and export control rules on cryptographic software vary from country to country.

Start of changes for service refresh 5 fix pack 10

A policy file is a flat text file that is distributed in a .jar file. The following policy files are included:

Unlimited jurisdiction policy files

These policy files contain no restrictions on cryptographic strengths or algorithms.

jre/lib/security/policy/unlimited/US_export_policy.jar
jre/lib/security/policy/unlimited/local_policy.jar

Limited jurisdiction policy files

These policy files contain more restricted cryptographic strengths.

jre/lib/security/policy/limited/US_export_policy.jar
jre/lib/security/policy/limited/local_policy.jar

The unlimited jurisdiction policy files are used by default. End of changes for service refresh 5 fix pack 10

Each subdirectory under the policy directory contains a complete policy configuration. You can add subdirectories to reflect your import or export control requirements. Within a subdirectory, the effective policy is the combined minimum permissions of the grant statements in the files that match the filename pattern default_*.policy. At least one grant statement is required. The effective exemption policy is the combined minimum permissions of the grant statements in the files that match the filename pattern exempt_*.policy. Exemption grants are optional.

To use a policy configuration other than the default, set the crypto.policy property in the java.security file to the value of the relevant subdirectory. For example, use the following setting to use the limited policy files:

crypto.policy=limited

For more information about these files and their syntax, see Cryptographic Strength Configuration and Default Policy Implementation and Policy File Syntax in the OpenJDK documentation.

Note: In earlier updates, the limited jurisdiction policy files were the default and the unlimited files were stored in the /demo/jce/policy-files/unrestricted/ directory. To use the unlimited files, they had to be copied to the jre/lib/security/ directory. For backward compatibility, any files copied to the jre/lib/security/ directory override the crypto.policy property setting in the java.security file.

Note: These policy files are for use with IBM® SDKs including Solaris and HP.

Start of changes for service refresh 5 fix pack 20 The policy files were updated for service refresh 5, fix pack 20 (July 2018) because the previous JCE code signing certificate was due to expire in October of that year. End of changes for service refresh 5 fix pack 20

Start of changes for service refresh 7 From service refresh 7, the JCE jurisdiction policy files (and the IBM security providers) are signed with the SHA256withRSA signature algorithm to enhance the security of JAR file signing and verification. End of changes for service refresh 7

Specifying a different directory for the policy files

Start of changes for service refresh 5 fix pack 10 Because policy files are now stored in the jre/lib/security/policy/limited and jre/lib/security/policy/unlimited directories, the -Dcom.ibm.security.jurisdictionPolicyDir property described in the following text is no longer required. However, the property is retained for backward compatibility. This property takes precedence over the crypto.policy property setting in the java.security file. Therefore, you can continue to use this mechanism without making any changes to your upgrade process. End of changes for service refresh 5 fix pack 10

If you use the now redundant method of copying the jurisdiction policy files to the jre/lib/security/ directory of the SDK, the files are used by default but they are also overwritten when you upgrade the SDK. The -Dcom.ibm.security.jurisdictionPolicyDir=<policy_file_location> system property allows you to place the files in a directory outside the default installation directory for the SDK (You must not change the names of the files). You can use the -Djava.security.debug=ibmjcefw system property to print the location of the policy files to the system.out stream, for debug purposes. For example:

java -Dcom.ibm.security.jurisdictionPolicyDir=/mypolicyfiles/unrestricted -Djava.security.debug=ibmjcefw myApplication

This command runs the myApplication Java™ application, using unlimited jurisdiction policy files from the /policyfiles/unrestricted directory, and displays the following information:

export policy URL:file: /mypolicyfiles/unrestricted/US_export_policy.jar
import policy URL:file: /mypolicyfiles/unrestricted/local_policy.jar