Service refresh 2

Read about the changes in service refresh 2, and subsequent fix packs.

Skip to Service refresh 2 fix pack 10

Service refresh 2

This refresh includes changes that result from Oracle security updates.
New security property com.ibm.security.krb5.autodeducerealm=true|false

This property is set to false by default. A security permission check is performed on a principal with deduced realm. The check ensures that only the authorized principal can initiate or accept secure connections. If the value of this property is true, there is no security check performed. This property is used by the IBM JGSS provider.

New security property jdk.tls.server.defaultDHEParameters

JSSE uses a default set of hardcoded Diffie-Hellman (DH) primes for each DH group. To improve the security of DH key pair generation, you can now provide custom values for DH primes by using the security property jdk.tls.server.defaultDHEParameters, or by configuring the java.security file. For more information, see the java.security file.

Service refresh 2 fix pack 10

This update contains new support for RFC5915 encoded EC private keys and a change in default behavior for SSL communication.

New support for RFC5915 encoded EC private keys
Support for EC private keys that are encoded according to the format specified in the RFC5915 document is added to the IBMJCE provider. The ibm.security.internal.spec.RFC5915ECPrivateKeyEncodedKeySpec class is introduced to represent these private keys.
Certificates signed with MD5 are no longer allowed by default
In response to the SLOTH security vulnerability, the use of MD5 in SSL communication is disabled in the SDK by default. Certificates signed with MD5 are no longer allowed. However, if you are unable to use an alternative in the short term, you can reverse this change by making changes to the java.security file that is located in the <JAVA_HOME>\lib\security directory.
  • Remove the value MD5 from the property jdk.certpath.disabledAlgorithms.
  • Remove the value MD5withRSA from the property jdk.tls.disabledAlgorithms.
Note: By removing these values and allowing the use of certificates signed with MD5 in SSL communication you are exposed to the SLOTH security vulnerability.