Troubleshooting Security
To monitor security access, you can set the
java.security.debug system property, which determines what trace
messages are printed during execution. To view security properties, security providers, and
TLS-related settings, specify the -XshowSettings:security option in the
java command. You can enable debugging in JGSS and other related
technologies with various system properties or environment variables.
The java.security.debug System Property
To see a list of all debugging options, use the help option
as follows. MyApp is any Java application.
The java command prints the debugging options and then exits before running
MyApp.
java -Djava.security.debug=help MyAppNote:
- To use more than one option, separate options with a comma.
- JSSE also provides dynamic debug tracing support for SSL/TLS/DTLS troubleshooting. See Debugging Utilities.
The following table lists java.security.debug options and
links to further information about each option:
Table 1-5 java.security.debug Options
| Option | Description | Further Information |
|---|---|---|
all |
Turn on all the debugging options | None |
certpath |
Turns on debugging for the PKIX You can use the following options with the
|
PKI Programmer's Guide Overview |
combiner |
|
None |
configfile |
JAAS (Java Authentication and Authorization Service) configuration file loading |
Java Authentication and Authorization Service (JAAS) Reference Guide Use of JAAS Login Utility and Java GSS-API for Secure Message Exchanges |
configparser |
JAAS configuration file parsing |
Java Authentication and Authorization Service (JAAS) Reference Guide Use of JAAS Login Utility and Java GSS-API for Secure Message Exchanges |
gssloginconfig |
Java GSS (Generic Security Services) login configuration file debugging |
Java Generic Security Services: (Java GSS) and Kerberos JAAS and Java GSS-API Tutorial
Appendix B: JAAS Login Configuration File Advanced Security Programming in Java SE Authentication, Secure Communication and Single Sign-On |
jar |
JAR file verification |
Verifying Signed JAR Files from The Java Tutorials Note: Use the System propertyjdk.jar.maxSignatureFileSize to specify
the maximum size, in bytes, of signature files in a signed JAR. Its
default value is 16000000 (16 MB).
|
jca
|
JCA engine class debugging | |
keystore
|
Keystore debugging | |
logincontext |
|
Java Authentication and Authorization Service (JAAS) Reference Guide Use of JAAS Login Utility and Java GSS-API for Secure Message Exchanges |
pcsc |
Java Smart Card I/O and SunPCSC provider debugging | The SunPCSC Provider and the javax.smartcardio package
|
pkcs11 |
PKCS11 session manager debugging | |
pkcs11keystore |
PKCS11 KeyStore debugging | |
pkcs12 |
PKCS12 KeyStore debugging | None |
properties |
java.security configuration file debugging
|
None |
provider |
Security
provider debugging
The following options can be used with the provider option:
The supported values for <engines> are:
|
Java Cryptography Architecture (JCA) Reference Guide |
securerandom |
SecureRandom debugging | The SecureRandom Class |
sunpkcs11 |
SunPKCS11 provider debugging | PKCS#11 Reference Guide |
ts |
Timestamping debugging | None |
x509 |
X.509 certificate debugging | X.509 Certificates and Certificate Revocation Lists (CRLs) |
Printing Thread and Timestamp Information
You can append the following strings to the value specified in the
java.security.debug system property to print additional
information:
+thread: Print thread and caller information+timestamp: Print timestamp information
For example, to add thread, caller, and timestamp information to all
debuging output, set the java.security.debug system property on the
command line as follows:
java -Djava.security.debug=all+thread+timestamp MyAppThe java -XshowSettings:security Option
You can specify the option -XshowSettings:security option
in the java command to view security properties, security providers, and
TLS-related settings. The option shows third-party security provider details if they are
included in the application class path or module path and such providers are configured in
the java.security file.
In addition, you can specify -XshowSettings:security:<subcategory> where <subcategory> is one of the following:
all: show all security settingsproperties: show security propertiesproviders: show static security provider settingstls: show TLS-related security settings
Enabling Debugging in Java Generic Security Services
Set the following system properties or environment variables to
true to enable debugging in the Java Generic Security Services (JGSS)
framework, Kerberos, SPNEGO, the native JGSS bridge, and the SSPI bridge on
Windows:
Caution:
Debugging information may contain sensitive information.Table 1-6 JGSS Debugging System Properties
| System Property or Environment Variable | JGSS Feature to Debug |
|---|---|
sun.security.jgss.debug system property
|
JGSS framework |
sun.security.krb5.debug system property
|
Java Kerberos 5 mechanism |
sun.security.spnego.debug system property
|
Java SPNEGO mechanism |
sun.security.nativegss.debug system property
|
Native JGSS bridge |
SSPI_BRIDGE_TRACE environment variable
|
SSPI bridge on Windows |
You can append +thread and +timestamp to
the value true to print additional information.
Note:
You cannot add these strings to the value of theSSPI_BRIDGE_TRACE environment variable.
For example, to add thread, caller, and timestamp information to JGSS
framework debugging output, you can set the sun.security.jgss.debug
system property on the command line as follows:
java -Dsun.security.jgss.debug=true+thread+timestamp MyAppIn your JAAS login configuration file, you can specify
debug=true in the Krb5LoginModule to enable debugging in the
associated entry. For example, the following enables debugging for
JassSample and adds thread, caller, and timestamp information to
the debugging output:
JaasSample {
com.sun.security.auth.module.Krb5LoginModule required;
debug=true+thread+timestamp;
};