As Harness Migrates to JDK11 from the older JDK8, there maybe certain changes expected to be performed from the customer end:
1. Changes in the certs as explained here: Information regarding certificates and delegate upgrade to OpenJDK 11
2. keeping the java.security file updated in case a custom one is used.
We will be focussing on the 2nd point here, where some customers who use their own custom image and java.security file might face issues.
The java.security File:
The java.security is security config file which comes with both JDK8 and JDK11.
For Java 8, and earlier version, we can find the java.security file at the below location
$JAVA_HOME/jre/lib/security/java.security
For Java 11 and Java 14, we can find the java.security file at the below:
$JAVA_HOME/conf/security
Apart from the path where this file is located, certain set of providers including RSAsign, SASL etc have to be updated to be compatible with JDK11 and above, meaning you cannot use the same java.security file directly from JDK8 if you are using these custom security providers.
Effect of using a non-compatible file:
Using an older non-compatible version of the java.security file will give you an “SSL handshake error” in the delegate logs.
This will lead to disconnected delegates as they will not be able to upgrade to the newer JDK-11 based delegate versions.
Remediation:
You would simply need to rebuild your image to use either the default java.security file which comes with JDK11 or update your override file to be compatible, in most cases this would be related to the security providers which may not be valid for JDK11. Some examples are below:
Below is an eample snippet from JDK8 providers:
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=sun.security.ec.SunEC
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
The same would map to something like below on the JDK11 compatible file:
security.provider.1=SUN
security.provider.2=SunRsaSign
security.provider.3=SunEC
security.provider.5=SunJCE
security.provider.6=SunJGSS