Skip to content

Commit

Permalink
Add boilerplate Java21 security properties support to sdk containers (a…
Browse files Browse the repository at this point in the history
  • Loading branch information
cwrothrock authored and aleksandr-dudko committed Jun 29, 2023
1 parent 14b97bf commit 756f735
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 0 deletions.
48 changes: 48 additions & 0 deletions sdks/java/container/java21/java21-security.properties
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Java 21 java.security properties file override for JVM
# base properties derived from:
# openjdk version "21-ea" 2023-09-19
# OpenJDK Runtime Environment (build 21-ea+23-1988)
# OpenJDK 64-Bit Server VM (build 21-ea+23-1988, mixed mode, sharing)

# Java has now disabled TLSv1 and TLSv1.1. We specifically put it in the
# legacy algorithms list to allow it to be used if something better is not
# available (e.g. TLSv1.2). This will prevent breakages for existing users
# (for example JDBC with MySQL). See
# https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8202343
# for additional details.
jdk.tls.disabledAlgorithms=SSLv3, DTLSv1.0, RC4, DES, \
MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
ECDH

# The raw value from 21-ea for legacyAlgorithms is
# NULL, anon, RC4, DES, 3DES_EDE_CBC
# Because these values are in disabledAlgorithms, it is erroneous to include
# them in legacy (they are disabled in Java 8, 11, and 17 as well). Here we
# only include TLSv1 and TLSv1.1 which were removed from disabledAlgorithms
jdk.tls.legacyAlgorithms=TLSv1, TLSv1.1

# /dev/random blocks in virtualized environments due to lack of
# good entropy sources, which makes SecureRandom use impractical.
# In particular, that affects the performance of HTTPS that relies
# on SecureRandom.
#
# Due to that, /dev/urandom is used as the default.
#
# See http://www.2uo.de/myths-about-urandom/ for some background
# on security of /dev/urandom on Linux.
securerandom.source=file:/dev/./urandom
9 changes: 9 additions & 0 deletions sdks/java/container/java21/option-java21-security.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"name": "java-security",
"enabled": true,
"options": {
"properties": {
"java.security.properties": "/opt/apache/beam/options/java21-security.properties"
}
}
}

0 comments on commit 756f735

Please sign in to comment.