Fix Version/s: openjdk8u262
Compatibility Risk Description:The introduction of a Security property mirroring an existing System property should not pose any compatibility risk.
Interface Kind:System or security property
Differences with original CSR: none
Differences with 11.0.8 CSR: none
Mirror the jdk.security.allowNonCaAnchor System property with a Security one of the same name. In the case that both are simultaneously set, the System property overrides.
Even though the jdk.security.allowNonCaAnchor System property can be used for backward-compatibility purposes after JDK-8230318, it's not possible to set its value in a global and persistent way: it has to be set as an argument for each JVM invocation.
By mirroring the jdk.security.allowNonCaAnchor System property with a Security one of the same name, the property value can be set in a global and persistent java.security file.
X.509 v3 certificates used as Trust Anchors (to validate signed code or TLS connections) must have the cA Basic Constraint field set to 'true'. Also, if they include a Key Usage extension, the keyCertSign bit must be set. These checks, enabled by default, can be disabled for backward-compatibility purposes with the jdk.security.allowNonCaAnchor System and Security properties. In the case that both properties are simultaneously set, the System value prevails.
More information about the jdk.security.allowNonCaAnchor property can be found here.