SDK Security policy files
The IBM SDK provides both limited and unlimited strength JCE jurisdiction policy files. You can control which policy files to use.
- Unlimited jurisdiction policy files
- Limited jurisdiction policy files
The policy files were updated for service refresh 5, fix pack 20 (July 2018) because the previous JCE code signing certificate was due to expire in October of that year. If you are on an older level of the SDK and are unable to move to the latest fix pack, note that the expiry of the certificate has no impact on operations. However, if you want to update your policy files, click the following link to navigate to the download site: https://public.dhe.ibm.com/ibmdl/export/pub/systems/cloud/runtimes/java/security/jce_policy/
From service refresh 7, the JCE jurisdiction policy files (and the IBM security providers) are signed with the SHA256withRSA signature algorithm to enhance the security of JAR file signing and verification.
Specifying a different directory for the policy files
Because policy files are now stored in the jre/lib/security/policy/limited and jre/lib/security/policy/unlimited directories, the -Dcom.ibm.security.jurisdictionPolicyDir property described in the following text is no longer required. However, the property is retained for backward compatibility. This property takes precedence over the crypto.policy property setting in the java.security file. Therefore, you can continue to use this mechanism without making any changes to your upgrade process.
This command runs the myApplication Java™ application, using unlimited jurisdiction policy files from the /policyfiles/unrestricted directory, and displays the following information:
java -Dcom.ibm.security.jurisdictionPolicyDir=/mypolicyfiles/unrestricted -Djava.security.debug=ibmjcefw myApplication
export policy URL:file: /mypolicyfiles/unrestricted/US_export_policy.jar import policy URL:file: /mypolicyfiles/unrestricted/local_policy.jar