Details

    • Subcomponent:
    • CPU:
      generic
    • OS:
      generic
    • Verification:
      Verified

      Backports

        Description

        This release introduces a new feature whereby the JCE jurisdiction policy files used by the JDK can be controlled via a new Security property. In older releases, JCE jurisdiction files had to be downloaded and installed separately to allow unlimited cryptography to be used by the JDK. The download and install steps are no longer necessary. To enable unlimited cryptography, one can use the new `crypto.policy` Security property. If the new Security property (crypto.policy) is set in the java.security file, or has been set dynamically using the Security.setProperty() call before the JCE framework has been initialized, that setting will be honored. By default, the property will be undefined. If the property is undefined and the legacy JCE jurisdiction files don't exist in the legacy lib/security directory, then the default cryptographic level will remain at 'limited'. To configure the JDK to use unlimited cryptography, set the crypto.policy to a value of 'unlimited'. See the notes in the java.security file shipping with this release for more information.

        Note : On Solaris, it's recommended that you remove the old SVR4 packages before installing the new JDK updates. If an SVR4 based upgrade (without uninstalling the old packages) is being done on a JDK release earlier than 6u131, 7u121, 8u111, then you should set the new crypto.policy Security property in the java.security file.

        Because the old JCE jurisdiction files are left in `<java-home>/lib/security`, they may not meet the latest security JAR signing standards, which were refreshed in 6u131, 7u121, 8u111, and later updates. An exception similar to the following might be seen if the old files are used :
        ```
        Caused by: java.lang.SecurityException: Jurisdiction policy files are not signed by trusted signers!
                at javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:593)
                at javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:524)
        ```

          Activity

          Hide
          cwayne Clifford Wayne added a comment -
          email from Roger Calnan:
          "creating release notes for both the CPU and PSU for a particular release which is not what we want....remove
          the affectsversion vs. creating multiple release notes. For example:

          https://bugs.openjdk.java.net/browse/JDK-8169716

          there should only be a release note for 8u151."

          Show
          cwayne Clifford Wayne added a comment - email from Roger Calnan: "creating release notes for both the CPU and PSU for a particular release which is not what we want....remove the affectsversion vs. creating multiple release notes. For example: https://bugs.openjdk.java.net/browse/JDK-8169716 there should only be a release note for 8u151."

            People

            • Assignee:
              coffeys Sean Coffey
              Reporter:
              coffeys Sean Coffey
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: