From 756f7353b30668c6f880a6ccc9184c0a66c62392 Mon Sep 17 00:00:00 2001 From: Charles Rothrock Date: Wed, 28 Jun 2023 15:12:04 -0400 Subject: [PATCH] Add boilerplate Java21 security properties support to sdk containers (#26798) --- .../java21/java21-security.properties | 48 +++++++++++++++++++ .../java21/option-java21-security.json | 9 ++++ 2 files changed, 57 insertions(+) create mode 100644 sdks/java/container/java21/java21-security.properties create mode 100644 sdks/java/container/java21/option-java21-security.json diff --git a/sdks/java/container/java21/java21-security.properties b/sdks/java/container/java21/java21-security.properties new file mode 100644 index 000000000000..390cba510187 --- /dev/null +++ b/sdks/java/container/java21/java21-security.properties @@ -0,0 +1,48 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Java 21 java.security properties file override for JVM +# base properties derived from: +# openjdk version "21-ea" 2023-09-19 +# OpenJDK Runtime Environment (build 21-ea+23-1988) +# OpenJDK 64-Bit Server VM (build 21-ea+23-1988, mixed mode, sharing) + +# Java has now disabled TLSv1 and TLSv1.1. We specifically put it in the +# legacy algorithms list to allow it to be used if something better is not +# available (e.g. TLSv1.2). This will prevent breakages for existing users +# (for example JDBC with MySQL). See +# https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8202343 +# for additional details. +jdk.tls.disabledAlgorithms=SSLv3, DTLSv1.0, RC4, DES, \ + MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ + ECDH + +# The raw value from 21-ea for legacyAlgorithms is +# NULL, anon, RC4, DES, 3DES_EDE_CBC +# Because these values are in disabledAlgorithms, it is erroneous to include +# them in legacy (they are disabled in Java 8, 11, and 17 as well). Here we +# only include TLSv1 and TLSv1.1 which were removed from disabledAlgorithms +jdk.tls.legacyAlgorithms=TLSv1, TLSv1.1 + +# /dev/random blocks in virtualized environments due to lack of +# good entropy sources, which makes SecureRandom use impractical. +# In particular, that affects the performance of HTTPS that relies +# on SecureRandom. +# +# Due to that, /dev/urandom is used as the default. +# +# See http://www.2uo.de/myths-about-urandom/ for some background +# on security of /dev/urandom on Linux. +securerandom.source=file:/dev/./urandom \ No newline at end of file diff --git a/sdks/java/container/java21/option-java21-security.json b/sdks/java/container/java21/option-java21-security.json new file mode 100644 index 000000000000..2844fa7e0a5b --- /dev/null +++ b/sdks/java/container/java21/option-java21-security.json @@ -0,0 +1,9 @@ +{ + "name": "java-security", + "enabled": true, + "options": { + "properties": { + "java.security.properties": "/opt/apache/beam/options/java21-security.properties" + } + } +}