Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8173410

Add commented config line for jdk.security.provider.preferred

    Details

    • Subcomponent:
    • Resolved In Build:
      b157
    • CPU:
      sparc
    • OS:
      solaris_11

      Backports

        Description

        The performance team, PAE, is requesting to have a preferred provider security property defined for solaris-sparc to not use UcryptoProvider and SunPKCS11 on certain intrinsifyed algorithms.

        This was put in previously but removed because of Solaris Security's concern that customers who had enabled FIPS-140 in the Solaris Crypto Framework would unknowing invalidate the boundary because the preferred provider property would direct operations away from the Solaris Crypto Framework.

        The current proposal is to put the perferred provider line back in, but have it commented out. PAE will inform customers on how to enable the preferred provider option. The line that would be add is:

        #jdk.security.provider.preferred=AES:SunJCE, SHA1:SUN, Group.SHA2:SUN, HmacSHA1:SunJCE, Group.HmacSHA2:SunJCE

          Issue Links

            Activity

            Hide
            bubbva Valerie Fenwick (Inactive) added a comment -
            This seems like a good approach. Perhaps in a future release this could be covered by documentation and we may be able to have it on by default.
            Show
            bubbva Valerie Fenwick (Inactive) added a comment - This seems like a good approach. Perhaps in a future release this could be covered by documentation and we may be able to have it on by default.
            Hide
            kko Kengtai Ko (Inactive) added a comment -
            Thanks for adding the line back in. Though commented, it will help serve as "suggested list" for Solaris-SPARC customers to easily enable those optimized crypto providers by un-commenting this line.

            As Valerie indicated, for the long term, we do like to have the list turned on by default.
            Show
            kko Kengtai Ko (Inactive) added a comment - Thanks for adding the line back in. Though commented, it will help serve as "suggested list" for Solaris-SPARC customers to easily enable those optimized crypto providers by un-commenting this line. As Valerie indicated, for the long term, we do like to have the list turned on by default.
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/223b9c6c892f
            User: ascarpino
            Date: 2017-02-08 19:02:11 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/223b9c6c892f User: ascarpino Date: 2017-02-08 19:02:11 +0000
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/223b9c6c892f
            User: lana
            Date: 2017-02-15 20:09:52 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/223b9c6c892f User: lana Date: 2017-02-15 20:09:52 +0000

              People

              • Assignee:
                ascarpino Anthony Scarpino
                Reporter:
                ascarpino Anthony Scarpino
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: