← Recipes

TLS and Module Security

Configure TLS trust, client certificates, weak-algorithm policy, and module-access exceptions deliberately.

Flags and properties

-Djavax.net.ssl.trustStore-Djavax.net.ssl.keyStore-Djdk.tls.disabledAlgorithms--add-opens

These options affect TLS identity, trust decisions, protocol selection, cryptographic policy, and module encapsulation. Treat them as deployment security controls, not generic tuning flags.

Option details

-Djavax.net.ssl.trustStore=/etc/ssl/app/truststore.p12
Points JSSE-based clients and servers to trusted certificate authorities or pinned partner certificates.
-Djavax.net.ssl.trustStoreType=PKCS12
Declares the truststore format. PKCS#12 is the usual modern choice.
-Djavax.net.ssl.keyStore=/etc/ssl/app/keystore.p12
Points the JVM to the private-key material and certificate chain used for client authentication or server identity.
-Djavax.net.ssl.keyStoreType=PKCS12
Declares the keystore format.
-Djdk.tls.client.protocols=TLSv1.3,TLSv1.2
Limits TLS client protocol negotiation to modern versions when older protocols must be excluded explicitly.
-Djdk.tls.disabledAlgorithms=...
Overrides the disabled algorithm policy. Prefer editing a controlled java.security overlay instead of putting a long policy directly on the command line.
--add-opens / --add-exports
Weakens Java module encapsulation for compatibility. Keep these options narrow, temporary, and tied to a tracked dependency upgrade.
Avoid passing keystore or truststore passwords directly as command-line flags. Use protected files, environment-to-config integration, or platform secret managers.

When to use it

Use this recipe when a JVM process must trust a private CA, present a client certificate, disable weak TLS behavior, or document module-access exceptions needed by legacy libraries.

Java version support

JSSE truststore and keystore system properties are longstanding Java options. TLS 1.3 is available from Java 11. Module access options such as --add-opens and --add-exports are available from Java 9.

Related JEPs

Examples

Trust a private certificate authority

java -Djavax.net.ssl.trustStore=/etc/ssl/app/truststore.p12 \
  -Djavax.net.ssl.trustStoreType=PKCS12 \
  -Djdk.tls.client.protocols=TLSv1.3,TLSv1.2 \
  -jar app.jar

Mount the truststore as a file and keep the password outside the process argument list.

Use a client certificate for mTLS

java -Djavax.net.ssl.keyStore=/etc/ssl/app/client-keystore.p12 \
  -Djavax.net.ssl.keyStoreType=PKCS12 \
  -Djavax.net.ssl.trustStore=/etc/ssl/app/truststore.p12 \
  -Djavax.net.ssl.trustStoreType=PKCS12 \
  -jar app.jar

Use secret-mounted files for the keystore, truststore, and passwords.

Load a controlled security-policy overlay

java -Djava.security.properties=/etc/java/app-security.properties \
  -jar app.jar

Use this for disabled algorithm policy instead of hard-coding a long policy in startup flags.

Document a narrow module exception

java --add-opens java.base/java.lang=ALL-UNNAMED \
  -jar legacy-app.jar

Keep module exceptions rare and remove them after the dependency is upgraded.

Verify