KB5066835: KSP vs CSP transition and recommendations for Personal Desktop Client. Read more ->
Nexus Documentation
Nexus Documentation
Breadcrumbs

Configure Zulu 8 JRE for TLS 1.3

TLS 1.3 support is required for versions 8.x of Smart ID Certificate Manager (CM) and CM SDK. It was introduced in Java 11, but for at least the Zulu 8 JRE a backport exists via the OpenJSSE provider.

This article shows how to enable it in a way that retains the SUN JSSE provider for backwards compatibility with applications that use it explicitly. This information is usable when you shall Integrate Identity Manager with Smart ID Certificate Manager.

The instructions in this article are required and intended only for Zulu 8.47 and lower.

The option to enable crypto policy needs to be done for all versions of Zulu.


Step-by-step instruction

Download and install Zulu 8

  1. Download the latest Zulu 8 JRE from https://www.azul.com/downloads/zulu/ (TLS 1.3 support was introduced in July 2019)

  2. Install Zulu 8.

Update Java security providers

  1. Open the file ZULU8_FOLDER\jre\lib\security\java.security for editing.
    By default there are 10 security providers listed on Windows and 9 on Linux, like this:

    Listed security providers

    security.provider.1=...
...
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
...
security.provider.9=...
security.provider.10=...  (Windows only)

  2. Add a security provider line at the end of the numbering (number 11 on Windows and number 10 on Linux).

    1. Move "com.sun.net.ssl.internal.ssl.Provider" from security provider number 4 to the new number:

      For Windows

      security.provider.11=com.sun.net.ssl.internal.ssl.Provider

      For Linux

      security.provider.10=com.sun.net.ssl.internal.ssl.Provider

    2. Insert "org.openjsse.net.ssl.OpenJSSE" at security provider number 4:

      Insert at number 4

      security.provider.4=org.openjsse.net.ssl.OpenJSSE

    3. Add this line below the number 4 line:

      Add below number 4

      jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37

Example for Windows

  1. Replace this:

    security.provider.4=com.sun.net.ssl.internal.ssl.Provider

    ...with this:

    security.provider.4=org.openjsse.net.ssl.OpenJSSE
jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37

    ...and add this line:

    security.provider.11=com.sun.net.ssl.internal.ssl.Provider

    Note! You can add the new line anywhere in the file. The order of the numbering lines is not important.

Example for Linux

  1. Replace this:

    security.provider.4=com.sun.net.ssl.internal.ssl.Provider

    with this:

    security.provider.4=org.openjsse.net.ssl.OpenJSSE
jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37

    ...and add this line:

    security.provider.10=com.sun.net.ssl.internal.ssl.Provider

    Note! You can add the new line anywhere in the file. The order of the numbering lines is not important.

Option: Enable the unlimited crypto policy

  1. To enable the unlimited crypto policy, add this line in the Java security file:

    Enable unlimited crypto policy

    crypto.policy=unlimited

Last updated: