SDK Security policy files

The IBM SDK provides both limited and unlimited strength JCE jurisdiction policy files. You can control which policy files to use.

Policy files are used by the SecurityManager class to grant access to Java permissions. When you run a Java application with a security manager, if access to a resource is required but is not defined by a policy file, access is denied.

Note: The SecurityManager is deprecated in Java 17 and subject to removal in a future release. There is no replacement for the Security Manager. See JEP 411 for discussion and alternatives.

You can use a policy file to customize the cryptographic key strength that you require. This flexibility is useful because import and export control rules on cryptographic software vary from country to country.

A policy file is a flat text file that is distributed in a .jar file. The following policy files are included:
Unlimited jurisdiction policy files
These policy files contain no restrictions on cryptographic strengths or algorithms.
  • conf/security/policy/unlimited/default_US_export.policy
  • conf/security/policy/unlimited/default_local.policy
Limited jurisdiction policy files
These policy files contain more restricted cryptographic strengths.
  • conf/security/policy/limited/default_US_export.policy
  • conf/security/policy/limited/default_local.policy
  • conf/security/policy/limited/exempt_local.policy
The unlimited jurisdiction policy files are used by default.

Each subdirectory under the policy directory contains a complete policy configuration. You can add subdirectories to reflect your import or export control requirements. Within a subdirectory, the effective policy is the combined minimum permissions of the grant statements in the files that match the filename pattern default_*.policy. At least one grant statement is required. The effective exemption policy is the combined minimum permissions of the grant statements in the files that match the filename pattern exempt_*.policy. Exemption grants are optional.

To use a policy configuration other than the default, set the crypto.policy property in the conf/security/java.security file to the value of the relevant subdirectory. For example, use the following setting to use the limited policy files:
crypto.policy=limited

For more information about these files and their syntax, see Cryptographic Strength Configuration and Default Policy Implementation and Policy File Syntax in the OpenJDK documentation.