How To
Summary
The java.security file is normally loaded at startup, but customizing this file can be restricted due to file permissions. If you wanted to customize the settings in here for a specific application server (instead of the entire cell), such as the jdk.tls.disabledAlgorithms setting, a JVM argument can be used (java.security.properties).
Objective
The java.security file is normally located within the JAVA_HOME/jre/lib/security directory. This file contains the default security settings loaded by the JVM, including the disabledAlgorithms settings used globally by all application servers that use this SDK.
With the -Djava.security.properties argument, a customized set of security settings is loaded in addition to the global settings.
Steps
First, create a separate text file containing the properties you want to use. The example shows both tls and certpath settings configured
your.security
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, EC keySize < 224, 3DES_EDE_CBC, anon, NULL jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
Instructions for WebSphere Application Server
- In the admin console, go to Security > Global Security (or Security > Security Domains > DOMAIN_NAME)
- Click the link for Custom Properties
- To use the java.security settings for disabledAlgorithms, the property, you need to set the following security properties to the value none. Set the properties you are configuring in your.security file (there's one for the tls algorithms and one for the certpath algorithms).
- com.ibm.websphere.tls.disabledAlgorithms
- com.ibm.websphere.certpath.disabledAlgorithms
- Next, add the JVM arguments
- For WebSphere Application Server instance:
- Servers > [+] Server Types > WebSphere Application Servers > SERVER_NAME > [+] Java and Process Management > Process Definition > Java Virtual Machine
- For NodeAgent:
- System Administration > Node Agents > NODEAGENT_NAME > [+] Java and Process Management > Process Definition > Java Virtual Machine
- For Deployment Manager:
- System Administration > Deployment Manager > [+] Java and Process Management > Process Definition > Java Virtual Machine
- Scroll down to the Generic JVM arguments to add the following
- -Djava.security.properties=/path/to/your.security
- Separately, this setting can be added instead as a JVM Custom Property. Click Custom Properties instead of scrolling to the Generic JVM Arguments. Set the property name java.security.properties and the value being the path to your.security file. Do not use with -D prefix when configured this way.
- For WebSphere Application Server instance:
- Then, save the changes (sync the nodes if applicable), and restart the appserver instance
Instructions for WebSphere Liberty
- Edit the jvm.options file and add the following argument
- -Djava.security.properties=/path/to/your.security
- Restart the WebSphere Liberty appserver instance.
Additional Information
What if the SDK is upgraded or changed (such as using managesdk.sh)?
Upgrades to the SDK might revert changes to files in the JAVA_HOME/jre/lib/security directory, including java.security. If you make changes to the file directly, a new java.security file can be present.
More information on the serviceability of specific files that are part of the SDK can be found here: https://www.ibm.com/support/pages/node/616845
What is the WAS_HOME/properties/java.security file used for?
WebSphere Application Server traditional installations might also include a separate java.security file located in WAS_HOME/properties directory. This file can be used to configure further java.security settings without needing to edit the global java.security file, but this file affects all of the appserver instances for this installation.
If the java.security.properties is configured as a JVM argument or custom property, this WAS_HOME/properites/java.security file is not loaded anymore.
https://www.ibm.com/docs/en/was-nd/9.0.5?topic=communications-using-javasecurity-file-in-java-8
How to locate the currently used disabledAlgorithms settings (WebSphere Application Server traditional)
During startup of WebSphere Application Server instances, information messages near the beginning indicate which disabledAlgorithms settings are in use. This message indicates the current algorithm, and can be used as a template rather than the settings directly in the java.security file. Look for the messages labeled CWPKI0051I that indicates the settings for either disabledAlgorithms properties, for example:
SSLConfigMana I CWPKI0051I: The process has the java security property jdk.certpath.disabledAlgorithms set to [MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224]. The WebSphere Application server is setting the java security property jdk.certpath.disabledAlgorithms to [MD2, RSA keySize < 1024, MD5].
If either of the com.ibm.websphere.***.disabledAlgorithms settings are set to none, you might see a different message indicating the java.security file property (and not the WebSphere Application Server property), for example:
SSLConfigMana I CWPKI0050I: The process has the java security property jdk.tls.disabledAlgorithms set to [SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, EC keySize < 224, 3DES_EDE_CBC, anon, NULL].
Loading a separate copy of the java.security file
When you use a double equals sign, you tell the JVM to ignore the default java.security file and load only this file.
- -Djava.security.properties==/path/to/copied/java.security
If a single equals sign is used, it loads both your copy and superimposes it over the default java.security file
- -Djava.security.properties=/path/to/your.security
More information on the java.security.properties property can be found in the commented sections of the JAVA_HOME/jre/lib/security/java.security file.
# An alternate java.security properties file may be specified
# from the command line via the system property
#
# -Djava.security.properties=<URL>
#
# This properties file appends to the default security properties file.
# If both properties files specify values for the same key, the value
# from the command-line properties file is selected, as it is the last
# one loaded.
#
# Also, if you specify
#
# -Djava.security.properties==<URL> (2 equals),
#
# then that properties file completely overrides the default security
# properties file.
#
# To disable the ability to specify an additional properties file from
# the command line, set the key security.overridePropertiesFile
# to false in the default security properties file. It is set to true
# by default....#
# Determines whether this properties file can be appended to
# or overridden on the command line via -Djava.security.properties
#
security.overridePropertiesFile=true
Related Information
WebSphere Application Server java.security file
PI54960: PROVIDE PROPERTY TO SET JAVA™ SECURITY ALGORITHM RELATED PROPERTIES
WebSphere Application Server 9.0.5.6 and earlier, 8.5.5.19 and earlier not acc…
Disabled and restricted cryptographic algorithms
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSAW57","label":"WebSphere Application Server Network Deployment"},"ARM Category":[{"code":"a8m50000000Cd8DAAS","label":"WebSphere Application Server traditional-All Platforms-\u003ESecurity-\u003ESSL-\u003ESSL - General"}],"ARM Case Number":"TS007258730","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSD28V","label":"WebSphere Application Server Liberty Core"},"ARM Category":[{"code":"a8m3p0000000rI7AAI","label":"IBM WebSphere Liberty-All Platforms-\u003ELiberty Profile-\u003EJava"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
07 May 2024
UID
ibm16507679