Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


Skip to end of metadata
Go to start of metadata

TLS 1.3 support is required for versions 8.x of Smart ID Certificate Manager (CM) and CM SDK. It was introduced in Java 11, but for at least the Zulu 8 JRE a backport exists via the OpenJSSE provider.

This article shows how to enable it in a way that retains the SUN JSSE provider for backwards compatibility with applications that use it explicitly. This information is usable when you shall Integrate Identity Manager with Smart ID Certificate Manager.

Expand/Collapse All

Step-by-step instruction

 Download and install Zulu 8
  1. Download the latest Zulu 8 JRE from https://www.azul.com/downloads/zulu/ (TLS 1.3 support was introduced in July 2019)
  2. Install Zulu 8.
 Update Java security providers
  1. Open the file ZULU8_FOLDER\jre\lib\security\java.security for editing.
    By default there are 10 security providers listed on Windows and 9 on Linux, like this:

    Listed security providers
    security.provider.1=...
    ...
    security.provider.4=com.sun.net.ssl.internal.ssl.Provider
    ...
    security.provider.9=...
    security.provider.10=...  (Windows only)
  2. Add a security provider line at the end of the numbering (number 11 on Windows and number 10 on Linux).

    1. Move "com.sun.net.ssl.internal.ssl.Provider" from security provider number 4 to the new number:

      For Windows
      security.provider.11=com.sun.net.ssl.internal.ssl.Provider
      For Linux
      security.provider.10=com.sun.net.ssl.internal.ssl.Provider
    2. Insert "org.openjsse.net.ssl.OpenJSSE" at security provider number 4:

      Insert at number 4
      security.provider.4=org.openjsse.net.ssl.OpenJSSE
    3. Add this line below the number 4 line:

      Add below number 4
      jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37

Example for Windows

  1. Replace this:

    security.provider.4=com.sun.net.ssl.internal.ssl.Provider

    ...with this:

    security.provider.4=org.openjsse.net.ssl.OpenJSSE
    jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37

    ...and add this line:

    security.provider.11=com.sun.net.ssl.internal.ssl.Provider

    Note! You can add the new line anywhere in the file. The order of the numbering lines is not important.

Example for Linux

  1. Replace this:

    security.provider.4=com.sun.net.ssl.internal.ssl.Provider

    with this:

    security.provider.4=org.openjsse.net.ssl.OpenJSSE
    jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37

    ...and add this line:

    security.provider.10=com.sun.net.ssl.internal.ssl.Provider

    Note! You can add the new line anywhere in the file. The order of the numbering lines is not important.

 Option: Enable the unlimited crypto policy
  1. To enable the unlimited crypto policy, add this line in the Java security file:

    Enable unlimited crypto policy
    crypto.policy=unlimited