SDK Security policy files
The IBM SDK provides both limited and unlimited strength JCE jurisdiction policy files. You can control which policy files to use.
Policy files are used by the SecurityManager class to grant access to Java permissions. When you run a Java application with a security manager, if access to a resource is required but is not defined by a policy file, access is denied.
You can use a policy file to customize the cryptographic key strength that you require. This flexibility is useful because import and export control rules on cryptographic software vary from country to country.
- Unlimited jurisdiction policy files
-
These policy files contain no restrictions on cryptographic strengths or algorithms.
- jre/lib/security/policy/unlimited/US_export_policy.jar
- jre/lib/security/policy/unlimited/local_policy.jar
- Limited jurisdiction policy files
-
These policy files contain more restricted cryptographic strengths.
- jre/lib/security/policy/limited/US_export_policy.jar
- jre/lib/security/policy/limited/local_policy.jar
Each subdirectory under the policy directory contains a complete policy configuration. You can add subdirectories to reflect your import or export control requirements. Within a subdirectory, the effective policy is the combined minimum permissions of the grant statements in the files that match the filename pattern default_*.policy. At least one grant statement is required. The effective exemption policy is the combined minimum permissions of the grant statements in the files that match the filename pattern exempt_*.policy. Exemption grants are optional.
crypto.policy=limited
For more information about these files and their syntax, see Cryptographic Strength Configuration and Default Policy Implementation and Policy File Syntax in the OpenJDK documentation.
The policy files were updated for service refresh 5, fix pack 20 (July 2018) because the previous JCE code signing certificate was due to expire in October of that year.
From service refresh 7, the JCE jurisdiction policy files (and the IBM security providers) are signed with the SHA256withRSA signature algorithm to enhance the security of JAR file signing and verification.
Specifying a different directory for the policy files
Because policy files are now stored in the jre/lib/security/policy/limited and jre/lib/security/policy/unlimited directories, the -Dcom.ibm.security.jurisdictionPolicyDir property described in the following text is no longer required. However, the property is retained for backward compatibility. This property takes precedence over the crypto.policy property setting in the java.security file. Therefore, you can continue to use this mechanism without making any changes to your upgrade process.
java -Dcom.ibm.security.jurisdictionPolicyDir=/mypolicyfiles/unrestricted -Djava.security.debug=ibmjcefw myApplication
This
command runs the myApplication Java™ application, using
unlimited jurisdiction policy files from the /policyfiles/unrestricted
directory, and displays the following
information:export policy URL:file: /mypolicyfiles/unrestricted/US_export_policy.jar
import policy URL:file: /mypolicyfiles/unrestricted/local_policy.jar