Using the java.security file in Java 8
Starting with Java™ 8, WebSphere® uses the IBMJDK java.security file.
On other versions of the JDK, WebSphere provides a customized java.security file. The WebSphere runtime security code has been modified to set up the java security information that used to be part of the customized java.security file.
Provider List
WebSphere comes with a custom provider list that
includes the PKCS11
and CMS
providers that the
IBMJDK
provider list did not previously include by default. These providers are now
programmatically added in Java 8. The code does check to see
if these providers exist already in the provider list before adding them.
Default SSLSocketFactory and SSLServerSocketFactory
WebSphere SSL code depends on custom socket factories for features like programmatic SSL and Dynamic outbound SSL. The custom socket factories are set using the security properties that are defined in the java.security file. The WebSphere SSL initialization code programmatically sets these properties if they are not set so that the feature that depends on them continues to work on the server.
ssl.SocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLSocketFactory
ssl.ServerSocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLServerSocketFactory
java.security.properties
system property to
point to the file that contains the socket factory properties. The client program can be called like
this assuming the properties are in a file called
socket.properties.
java -Djava.security.properties=socket.properties clientProgram
WebSphere also provides a mechanism to augment the java.security file. If you need to make system-wide changes to the java.security file, edit the WAS_HOME/properties/java.security file. Any updates that are put in this file overrides the java/jre/security/java.security file. You should only add differences to this file, and not replace the entire contents, because doing this will allow any security vulnerabilities that are fixed in a future Java service release to be picked up. The java.security file in the java/jre/lib/security directory is overwritten when java updates are applied, but the file in WAS_HOME/properties is non-serviceable.