Troubleshooting Security

To monitor security access, you can set the java.security.debug system property, which determines what trace messages are printed during execution. To view security properties, security providers, and TLS-related settings, specify the -XshowSettings:security option in the java command.

To see a list of all debugging options, use the help option as follows. MyApp is any Java application. The java command prints the debugging options and then exits before running MyApp.

java -Djava.security.debug=help MyApp

Note:

To use more than one option, separate options with a comma.
JSSE also provides dynamic debug tracing support for SSL/TLS See Debugging Utilities.

The following table lists java.security.debug options and links to further information about each option:

Option	Description	Further Information
`all`	Turn on all debugging	None
`access`	Print all results from the `AccessController.checkPermission` method. You can use the following options with the `access` option: `stack`: Include stack trace `domain`: Dump all domains in context `failure`: Before throwing exception, dump stack and domain that do not have permission You can use the following options with the `stack` and `domain` options: `permission=<classname>`: Only dump output if specified permission is being checked `codebase=<URL>`: Only dump output if specified codebase is being checked	Permissions
`certpath`	Turns on debugging for the PKIX `CertPathValidator` and `CertPathBuilder` implementations. You can use the following options with the `certpath` option: `ocsp`: Dump OCSP protocol exchanges. A hexadecimal dump of the OCSP request and response bytes is displayed. `verbose`: Print additional debugging information	Java PKI Programmer's Guide
`combiner`	`SubjectDomainCombiner` debugging	Permissions
`configfile`	JAAS (Java Authentication and Authorization Service) configuration file loading	Java Authentication and Authorization Service (JAAS) Reference Guide Use of JAAS Login Utility and Java GSS-API for Secure Message Exchanges
`configparser`	JAAS configuration file parsing	Java Authentication and Authorization Service (JAAS) Reference Guide Use of JAAS Login Utility and Java GSS-API for Secure Message Exchanges
`gssloginconfig`	Java GSS (Generic Security Services) login configuration file debugging	Java Generic Security Services: (Java GSS) and Kerberos Introduction to JAAS and Java GSS-API Tutorials `javax.security.auth.login.Configuration`: A `Configuration` object is responsible for specifying which `LoginModules` should be used for a particular application, and in what order the `LoginModules` should be invoked. JAAS Login Configuration File Advanced Security Programming in Java SE Authentication, Secure Communication and Single Sign-On
`jar`	JAR file verification	Verifying Signed JAR Files from The Java Tutorials Note: Use the System property `jdk.jar.maxSignatureFileSize` to specify the maximum size, in bytes, of signature files in a signed JAR. Its default value is `16000000` (16 MB).
`jca`	JCA engine class debugging	Engine Classes and Algorithms
`keystore`	Keystore debugging	Key Management The `KeyStore` class
`logincontext`	`LoginContext` results	Permissions
`pcsc`	Java Smart Card I/O and SunPCSC provider debugging	The `SunPCSC` Provider and the `javax.smartcardio` package
`pkcs11`	PKCS11 session manager debugging	PKCS#11 Reference Guide
`pkcs11keystore`	PKCS11 KeyStore debugging	PKCS#11 Reference Guide
`pkcs12`	PKCS12 KeyStore debugging	None
`policy`	Loading and granting permissions with policy file	Set up the Policy File to Grant the Required Permissions (Controlling Applications) from The Java Tutorials Set up a Policy File to Grant the Required Permission (Controlling Applets) from The Java Tutorials policytool (Solaris or macOS) policytool (Windows) Default Policy Implementation and Policy File Syntax
`properties`	`java.security` configuration file debugging	None
`provider`	Security provider debugging You can use the `engine=<engines>` option with the `provider` option: The output is displayed only for a specified list of JCA engines. The supported values for `<engines>` are: `Cipher` `KeyAgreement` `KeyGenerator` `KeyPairGenerator` `KeyStore` `Mac` `MessageDigest` `SecureRandom` `Signature`	The Security Manager from The Java Tutorials
`scl`	Permissions `SecureClassLoader` assigns	Permissions
`sunpkcs11`	SunPKCS11 provider debugging	PKCS#11 Reference Guide
`ts`	Timestamping debugging	None
`x509`	X.509 certificate debugging	X.509 Certificates and Certificate Revocation Lists (CRLs)

The java -XshowSettings:security Option

You can specify the option -XshowSettings:security option in the java command to view security properties, security providers, and TLS-related settings. The option shows third-party security provider details if they are included in the application class path and such providers are configured in the java.security file.

In addition, you can specify -XshowSettings:security:<subcategory> where <subcategory> is one of the following:

all: show all security settings
properties: show security properties
providers: show static security provider settings
tls: show TLS-related security settings