SDK Security policy files

The IBM SDK provides both limited and unlimited strength JCE jurisdiction policy files. You can control which policy files to use.

Start of changes for service refresh 5 fix pack 10The following policy files are included. :
Unlimited jurisdiction policy files
  • jre/lib/security/policy/unlimited/US_export_policy.jar
  • jre/lib/security/policy/unlimited/local_policy.jar
Limited jurisdiction policy files
  • jre/lib/security/policy/limited/US_export_policy.jar
  • jre/lib/security/policy/limited/local_policy.jar
The unlimited jurisdiction policy files are used by default. To use the limited jurisdiction policy files, set the property crypto.policy=limited in the java.security file.
Note: In earlier updates, the limited jurisdiction policy files were the default and the unlimited files were stored in the /demo/jce/policy-files/unrestricted/ directory. To use the unlimited files, they had to be copied to the jre/lib/security/ directory. For backward compatibility, any files copied to the jre/lib/security/ directory override the crypto.policy property setting in the java.security file.
End of changes for service refresh 5 fix pack 10
Note: These policy files are for use with IBM® SDKs including Solaris and HP.

Start of changes for service refresh 5 fix pack 20The policy files were updated for service refresh 5, fix pack 20 (July 2018) because the previous JCE code signing certificate was due to expire in October of that year. If you are on an older level of the SDK and are unable to move to the latest fix pack, note that the expiry of the certificate has no impact on operations. However, if you want to update your policy files, click the following link to navigate to the download site: https://public.dhe.ibm.com/ibmdl/export/pub/systems/cloud/runtimes/java/security/jce_policy/End of changes for service refresh 5 fix pack 20

Start of changes for service refresh 7From service refresh 7, the JCE jurisdiction policy files (and the IBM security providers) are signed with the SHA256withRSA signature algorithm to enhance the security of JAR file signing and verification.End of changes for service refresh 7

Specifying a different directory for the policy files

Start of changes for service refresh 5 fix pack 10Because policy files are now stored in the jre/lib/security/policy/limited and jre/lib/security/policy/unlimited directories, the -Dcom.ibm.security.jurisdictionPolicyDir property described in the following text is no longer required. However, the property is retained for backward compatibility. This property takes precedence over the crypto.policy property setting in the java.security file. Therefore, you can continue to use this mechanism without making any changes to your upgrade process.End of changes for service refresh 5 fix pack 10

If you use the now redundant method of copying the jurisdiction policy files to the jre/lib/security/ directory of the SDK, the files are used by default but they are also overwritten when you upgrade the SDK. The -Dcom.ibm.security.jurisdictionPolicyDir=<policy_file_location> system property allows you to place the files in a directory outside the default installation directory for the SDK (You must not change the names of the files). You can use the -Djava.security.debug=ibmjcefw system property to print the location of the policy files to the system.out stream, for debug purposes. For example:
java -Dcom.ibm.security.jurisdictionPolicyDir=/mypolicyfiles/unrestricted -Djava.security.debug=ibmjcefw myApplication
This command runs the myApplication Java™ application, using unlimited jurisdiction policy files from the /policyfiles/unrestricted directory, and displays the following information:
export policy URL:file: /mypolicyfiles/unrestricted/US_export_policy.jar
import policy URL:file: /mypolicyfiles/unrestricted/local_policy.jar