Troubleshooting Security

To monitor security access, you can set the java.security.debug System property, which determines what trace messages are printed during execution.

To see a list of all debugging options, use the help option as follows. MyApp is any Java application. The java command prints the debugging options and then exits before running MyApp.

java -Djava.security.debug=help MyApp

Note:

  • To use more than one option, separate options with a comma.
  • JSSE also provides dynamic debug tracing support for SSL/TLS/DTLS troubleshooting. See Debugging Utilities.

The following table lists java.security.debug options and links to further information about each option:

Table 1-8 java.security.debug Options

Option Description Further Information
all Turn on all the debugging options  None
access

Print all results from the AccessController.checkPermission method.

You can use the following options with the access option:

  • stack: Include stack trace
  • domain: Dump all domains in context
  • failure: Before throwing exception, dump stack and domain that do not have permission

You can use the following options with the stack and domain options:

  • permission=<classname>: Only dump output if specified permission is being checked
  • codebase=<URL>: Only dump output if specified codebase is being checked
Permissions in the JDK
certpath

Turns on debugging for the PKIX CertPathValidator and CertPathBuilder implementations. Use the ocsp option with the certpath option for OCSP protocol tracing. A hexadecimal dump of the OCSP request and response bytes is displayed.

You can use the following options with the certpath option:

  • ocsp: Dump OCSP protocol exchanges
  • verbose: Print additional debugging information
PKI Programmer's Guide Overview
combiner SubjectDomainCombiner debugging Permissions in the JDK
configfile JAAS (Java Authentication and Authorization Service) configuration file loading

Java Authentication and Authorization Service (JAAS) Reference Guide

Use of JAAS Login Utility and Java GSS-API for Secure Message Exchanges

configparser JAAS configuration file parsing

Java Authentication and Authorization Service (JAAS) Reference Guide

Use of JAAS Login Utility and Java GSS-API for Secure Message Exchanges

gssloginconfig Java GSS (Generic Security Services) login configuration file debugging

Java Generic Security Services: (Java GSS) and Kerberos

JAAS and Java GSS-API Tutorial

javax.security.auth.login.Configuration: A Configuration object is responsible for specifying which javax.net.ssl.SSLEngine should be used for a particular application, and in what order the LoginModules should be invoked.

Appendix B: JAAS Login Configuration File

Advanced Security Programming in Java SE Authentication, Secure Communication and Single Sign-On

jar JAR file verification

Verifying Signed JAR Files from The Java Tutorials

Note:

Use the System property jdk.jar.maxSignatureFileSize to specify the maximum size, in bytes, of signature files in a signed JAR. Its default value is 16000000 (16 MB).
jca

JCA engine class debugging

Engine Classes and Algorithms

keystore

Keystore debugging

Keystores

KeyStore

logincontext LoginContext results

Java Authentication and Authorization Service (JAAS) Reference Guide

Use of JAAS Login Utility and Java GSS-API for Secure Message Exchanges

pcsc Java Smart Card I/O and SunPCSC provider debugging The SunPCSC Provider and the javax.smartcardio package
pkcs11 PKCS11 session manager debugging

PKCS#11 Reference Guide

pkcs11keystore PKCS11 KeyStore debugging

PKCS#11 Reference Guide

pkcs12 PKCS12 KeyStore debugging None
policy Loading and granting permissions with policy file

Set up the Policy File to Grant the Required Permissions (Controlling Applications) from The Java Tutorials

Default Policy Implementation and Policy File Syntax

properties java.security configuration file debugging None
provider Security provider debugging

The following options can be used with the provider option:

engine=<engines> : The output is displayed only for a specified list of JCA engines.

The supported values for <engines> are:
  • Cipher
  • KeyAgreement
  • KeyGenerator
  • KeyPairGenerator
  • KeyStore
  • Mac
  • MessageDigest
  • SecureRandom
  • Signature
Java Cryptography Architecture (JCA) Reference Guide
scl Permissions that SecureClassLoader assigns Permissions in the JDK
securerandom SecureRandom debugging The SecureRandom Class
sunpkcs11 SunPKCS11 provider debugging PKCS#11 Reference Guide
ts Timestamping debugging None
x509 X.509 certificate debugging X.509 Certificates and Certificate Revocation Lists (CRLs)