Summary

Add a security option to the -XshowSettings launcher option to display security configuration settings.

Problem

Currently, there's limited functionality built in to the JDK to display security configuration settings. Such settings are important to show how crypto/security APIs function. End users often have to parse the security configuration details manually. Such steps might involve reading the java.security configuration file or writing applications to exercise the Security API and display configuration data.

The lack of such functionality in the JDK today hinders support teams and end users who may wish to gather security settings specific to the installed JDK before determining possible issues being encountered in the security-libs area.

keytool was enhanced in JDK 13 to display TLS configuration information, but going forward the java -XshowSettings launcher command is a better alternative for showing this and other security configuration.

Solution

The JDK launcher already contains a -XshowSettings option to display settings. Currently, that option has the ability to show vm, system property, locale and system/container settings. The proposed solution is to add a new option to -XshowSettings to display security settings : -XshowSettings:security. This option would print details relating to:

• Security properties - those properties set via java security configuration file.
• Security provider configuration and services offered (including aliases offered by each provider)
• TLS configuration consisting of enabled TLS protocols and ciphersuites.

A new subcommand approach would allow a user to specify a particular component so that only those details are printed. The subcommand value would be appended after the -XshowSettings:security option and would be separated by a colon character. Subcommands are case sensitive and bad values will cause a warning message to be printed. In addition, no security settings will be printed if a bad subcommand value is encountered.

The standard -XshowSetttings launcher command will now include a summary of some security settings. For now, this includes:

• The name of each security providers configured. (in order of preference)
• The set of enabled TLS protocol versions.

The summary output will highlight that further security settings can be displayed using the -XshowSettings:security command. i.e. See "java -X" for verbose security settings options. See attached output examples.

Specification

Change of behaviour for the -XshowSettings option to include a summary of security settings with a message about how to display more verbose security settings. See attachment for example.

Addition of following options to the java launcher help output:

    -XshowSettings:security
                      show all security settings and continue
    -XshowSettings:security:all
                      show all security settings and continue
    -XshowSettings:security:properties
                      show security properties and continue
    -XshowSettings:security:providers
                      show static security provider settings and continue
    -XshowSettings:security:tls
                      show TLS related security settings and continue

These options would be printed along with other existing options in the extra options menu (returned by "java -X") See attachment for help output from java -X command

Recognized subcommands for the security component are:

• all - print all security settings. Same functionality as -XshowSettings:security
• properties - print current security properties. Ordered in alphabetical order of key value.
• providers - print security provider configuration and services offered. Ordered in order of provider preference.
• tls - print TLS configuration data consisting of enabled TLS protocols and ciphersuites.

If the security option is used without any subcommand specified, then all available security settings will be printed.

See attached output examples containing details of the extra security settings printed from using the -XshowSettings and -XshowSettings:security launcher commands.