Troubleshooting Security

To monitor security access, you can set the java.security.debug system property, which determines what trace messages are printed during execution. To view security properties, security providers, and TLS-related settings, specify the -XshowSettings:security option in the java command.

To see a list of all debugging options, use the help option as follows. MyApp is any Java application. The java command prints the debugging options and then exits before running MyApp.

java -Djava.security.debug=help MyApp

Note:

To use more than one option, separate options with a comma.
JSSE also provides dynamic debug tracing support for SSL/TLS See Debugging Utilities.

The following table lists java.security.debug options and links to further information about each option:

Option	Description	Further Information
`all`	Turn on all debugging	None
`access`	Print all results from the `AccessController.checkPermission` method. You can use the following options with the `access` option: `stack`: Include stack trace `domain`: Dump all domains in context `failure`: Before throwing exception, dump stack and domain that do not have permission You can use the following options with the `stack` and `domain` options: `permission=<classname>`: Only dump output if specified permission is being checked `codebase=<URL>`: Only dump output if specified codebase is being checked	Permissions
`certpath`	Turns on debugging for the PKIX `CertPathValidator` and `CertPathBuilder` implementations. You can use the following options with the `certpath` option: `ocsp`: Dump OCSP protocol exchanges. A hexadecimal dump of the OCSP request and response bytes is displayed. `verbose`: Print additional debugging information	Java PKI Programmer's Guide
`combiner`	`SubjectDomainCombiner` debugging	Permissions
`configfile`	JAAS (Java Authentication and Authorization Service) configuration file loading	Java Authentication and Authorization Service (JAAS) Reference Guide Use of JAAS Login Utility and Java GSS-API for Secure Message Exchanges
`configparser`	JAAS configuration file parsing	Java Authentication and Authorization Service (JAAS) Reference Guide Use of JAAS Login Utility and Java GSS-API for Secure Message Exchanges
`gssloginconfig`	Java GSS (Generic Security Services) login configuration file debugging	Java Generic Security Services (JGSS) and Kerberos Introduction to JAAS and Java GSS-API Tutorials `javax.security.auth.login.Configuration`: A `Configuration` object is responsible for specifying which `LoginModules` should be used for a particular application, and in what order the `LoginModules` should be invoked. JAAS Login Configuration File Advanced Security Programming in Java SE Authentication, Secure Communication and Single Sign-On
`jar`	JAR file verification	Verifying Signed JAR Files from The Java Tutorials Note: Use the System property `jdk.jar.maxSignatureFileSize` to specify the maximum size, in bytes, of signature files in a signed JAR. Its default value is `16000000` (16 MB).
`jca`	JCA engine class debugging	Engine Classes and Algorithms
`keystore`	Keystore debugging	Key Management The `KeyStore` class
`logincontext`	`LoginContext` results	Permissions
`pcsc`	Java Smart Card I/O and SunPCSC provider debugging	The `SunPCSC` Provider and the `javax.smartcardio` package
`pkcs11`	PKCS11 session manager debugging	PKCS#11 Reference Guide
`pkcs11keystore`	PKCS11 KeyStore debugging	PKCS#11 Reference Guide
`pkcs12`	PKCS12 KeyStore debugging	None
`policy`	Loading and granting permissions with policy file	Set up the Policy File to Grant the Required Permissions (Controlling Applications) from The Java Tutorials Set up a Policy File to Grant the Required Permission (Controlling Applets) from The Java Tutorials policytool (Solaris or macOS) policytool (Windows) Default Policy Implementation and Policy File Syntax
`properties`	`java.security` configuration file debugging	None
`provider`	Security provider debugging You can use the `engine=<engines>` option with the `provider` option: The output is displayed only for a specified list of JCA engines. The supported values for `<engines>` are: `Cipher` `KeyAgreement` `KeyGenerator` `KeyPairGenerator` `KeyStore` `Mac` `MessageDigest` `SecureRandom` `Signature`	The Security Manager from The Java Tutorials
`scl`	Permissions `SecureClassLoader` assigns	Permissions
`sunpkcs11`	SunPKCS11 provider debugging	PKCS#11 Reference Guide
`ts`	Timestamping debugging	None
`x509`	X.509 certificate debugging	X.509 Certificates and Certificate Revocation Lists (CRLs)

Printing Thread and Timestamp Information

You can append the following strings to the value specified in the java.security.debug system property to print additional information:

+thread: Print thread and caller information
+timestamp: Print timestamp information

For example, to add thread, caller, and timestamp information to all debugging output, set the java.security.debug system property on the command line as follows:

java -Djava.security.debug=all+thread+timestamp MyApp

The java -XshowSettings:security Option

You can specify the option -XshowSettings:security option in the java command to view security properties, security providers, and TLS-related settings. The option shows third-party security provider details if they are included in the application class path and such providers are configured in the java.security file.

In addition, you can specify -XshowSettings:security:<subcategory> where <subcategory> is one of the following:

all: show all security settings
properties: show security properties
providers: show static security provider settings
tls: show TLS-related security settings