SDK Security policy files

Start of changes for service refresh 4 fix pack 20By default, the IBM® SDK provides unlimited strength JCE jurisdiction policy files. To use the limited jurisdiction policy files, set the property crypto.policy=limited in the java.security file. End of changes for service refresh 4 fix pack 20

Start of changes for service refresh 4 fix pack 30Because the current JCE code signing certificate expires in October 2018, new policy files are included with this refresh. If you are on an older level of the SDK and unable to move to the latest fix pack, note that the expiry of the certificate has no impact on operations. However, if you want to update your policy files, click on the following link to navigate to the download site: https://public.dhe.ibm.com/ibmdl/export/pub/systems/cloud/runtimes/java/security/jce_policy/End of changes for service refresh 4 fix pack 30

Start of changes for service refresh 4 fix pack 20The following policy files are included:
Unlimited jurisdiction policy files
  • jre/lib/security/policy/unlimited/US_export_policy.jar
  • jre/lib/security/policy/unlimited/local_policy.jar
Limited jurisdiction policy files
  • jre/lib/security/policy/limited/US_export_policy.jar
  • jre/lib/security/policy/limited/local_policy.jar
The unlimited jurisdiction policy files are used by default.
Note: In earlier updates, the limited jurisdiction policy files were the default and the unlimited files were stored in the /demo/jce/policy-files/unrestricted/ directory. To use the unlimited files, they had to be copied to the jre/lib/security/ directory. For backward compatibility, any files copied to the jre/lib/security/ directory override the crypto.policy property setting in the java.security file.
End of changes for service refresh 4 fix pack 20
Note: These policy files are for use with IBM SDKs including Solaris and HP.
Start of changes for service refresh 1

Specifying a different directory for the policy files

If you copy the jurisdiction policy files to the jre/lib/security/ directory of the SDK, the files are used by default, but they are also overwritten when you upgrade the SDK. The -Dcom.ibm.security.jurisdictionPolicyDir=<policy_file_location> system property allows you to place the files in a directory outside the default installation directory for the SDK (You must not change the names of the files). You can use the -Djava.security.debug=ibmjcefw system property to print the location of the policy files to the system.out stream, for debug purposes. For example:
java -Dcom.ibm.security.jurisdictionPolicyDir=/mypolicyfiles/unrestricted -Djava.security.debug=ibmjcefw myApplication
This command runs the myApplication Java™ application, using unlimited jurisdiction policy files from the /policyfiles/unrestricted directory, and displays the following information:
export policy URL:file: /mypolicyfiles/unrestricted/US_export_policy.jar
import policy URL:file: /mypolicyfiles/unrestricted/local_policy.jar

Start of changes for service refresh 4 fix pack 20Although policy files are now stored in the jre/lib/security/policy/limited and jre/lib/security/policy/unlimited directories, the -Dcom.ibm.security.jurisdictionPolicyDir property is retained for backward compatibility. This property takes precedence over the crypto.policy property setting in the java.security file. Therefore, you can continue to use this mechanism without making any changes to your upgrade process.End of changes for service refresh 4 fix pack 20

End of changes for service refresh