Skip to main content
Skip table of contents

Configure Zulu 8 JRE for TLS 1.3

TLS 1.3 support is required for versions 8.x of Smart ID Certificate Manager (CM) and CM SDK. It was introduced in Java 11, but for at least the Zulu 8 JRE a backport exists via the OpenJSSE provider.

This article shows how to enable it in a way that retains the SUN JSSE provider for backwards compatibility with applications that use it explicitly. This information is usable when you shall Integrate Identity Manager with Smart ID Certificate Manager.

The instructions in this article are required and intended only for Zulu 8.47 and lower.

The option to enable crypto policy needs to be done for all versions of Zulu.


Step-by-step instruction

Download and install Zulu 8
  1. Download the latest Zulu 8 JRE from https://www.azul.com/downloads/zulu/ (TLS 1.3 support was introduced in July 2019)
  2. Install Zulu 8.
Update Java security providers

  1. Open the file ZULU8_FOLDER\jre\lib\security\java.security for editing.
    By default there are 10 security providers listed on Windows and 9 on Linux, like this:

    Listed security providers

    CODE 
    security.provider.1=...
...
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
...
security.provider.9=...
security.provider.10=...  (Windows only)

  2. Add a security provider line at the end of the numbering (number 11 on Windows and number 10 on Linux).

    1. Move "com.sun.net.ssl.internal.ssl.Provider" from security provider number 4 to the new number:

      For Windows

      CODE 
      security.provider.11=com.sun.net.ssl.internal.ssl.Provider

      For Linux

      CODE 
      security.provider.10=com.sun.net.ssl.internal.ssl.Provider

    2. Insert "org.openjsse.net.ssl.OpenJSSE" at security provider number 4:

      Insert at number 4

      CODE 
      security.provider.4=org.openjsse.net.ssl.OpenJSSE

    3. Add this line below the number 4 line:

      Add below number 4

      CODE 
      jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37

Example for Windows

  1. Replace this:

    CODE 
    security.provider.4=com.sun.net.ssl.internal.ssl.Provider

    ...with this:

    CODE 
    security.provider.4=org.openjsse.net.ssl.OpenJSSE
jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37

    ...and add this line:

    CODE 
    security.provider.11=com.sun.net.ssl.internal.ssl.Provider

    Note! You can add the new line anywhere in the file. The order of the numbering lines is not important.

Example for Linux

  1. Replace this:

    CODE 
    security.provider.4=com.sun.net.ssl.internal.ssl.Provider

    with this:

    CODE 
    security.provider.4=org.openjsse.net.ssl.OpenJSSE
jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37

    ...and add this line:

    CODE 
    security.provider.10=com.sun.net.ssl.internal.ssl.Provider

    Note! You can add the new line anywhere in the file. The order of the numbering lines is not important.

Option: Enable the unlimited crypto policy

  1. To enable the unlimited crypto policy, add this line in the Java security file:

    Enable unlimited crypto policy

    CODE 
    crypto.policy=unlimited
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close