Troubleshooting Security

To monitor security access, you can set the java.security.debug system property, which determines what trace messages are printed during execution.

To see a list of all debugging options, use the help setting:

java -Djava.security.debug=help

Note:

To use more than one option, separate options with a comma.

JSSE also provides dynamic debug tracing support for SSL/TLS/DTLS troubleshooting. See Debugging Utilities.

The following table lists java.security.debug options and links to further information about each option:

Table 1-10 java.security.debug Options

Option	Description	Further Information
`all`	Turn on all the debugging options	None
`access`	Print all results from the `AccessController.checkPermission` method. You can use the following options with the `access` option: `stack`: Include stack trace `___domain`: Dump all domains in context `failure`: Before throwing exception, dump stack and ___domain that do not have permission You can use the following options with the `stack` and `___domain` options: `permission=<classname>`: Only dump output if specified permission is being checked `codebase=<URL>`: Only dump output if specified codebase is being checked	Permissions in the Java Development Kit (JDK)
`certpath`	Turns on debugging for the PKIX `CertPathValidator` and `CertPathBuilder` implementations. Use the `ocsp` option with the `certpath` option for OCSP protocol tracing. A hexadecimal dump of the OCSP request and response bytes is displayed.	PKI Programmers Guide Overview
`combiner`	`SubjectDomainCombiner` debugging	Permissions in the Java Development Kit (JDK)
`configfile`	JAAS (Java Authentication and Authorization Service) configuration file loading	Java Authentication and Authorization Service (JAAS) Reference Guide Use of JAAS Login Utility and Java GSS-API for Secure Message Exchanges
`configparser`	JAAS configuration file parsing	Java Authentication and Authorization Service (JAAS) Reference Guide Use of JAAS Login Utility and Java GSS-API for Secure Message Exchanges
`gssloginconfig`	Java GSS (Generic Security Services) login configuration file debugging	Java Generic Security Services: (Java GSS) and Kerberos JAAS and Java GSS-API Tutorial `javax.security.auth.login.Configuration`: A Configuration object is responsible for specifying which `javax.net.ssl.SSLEngine` should be used for a particular application, and in what order the `LoginModules` should be invoked. JAAS Login Configuration File Advanced Security Programming in Java SE Authentication, Secure Communication and Single Sign-On
`jar`	JAR file verification	Verifying Signed JAR Files from The Java Tutorials
`jca`	JCA engine class debugging	Engine Classes and Algorithms
`keystore`	Keystore debugging	Keystores `KeyStore`
`logincontext`	`LoginContext` results	Java Authentication and Authorization Service (JAAS) Reference Guide Use of JAAS Login Utility and Java GSS-API for Secure Message Exchanges
`pkcs11`	PKCS11 session manager debugging	PKCS#11 Reference Guide
`pkcs11keystore`	PKCS11 KeyStore debugging	PKCS#11 Reference Guide
`pkcs12`	PKCS12 KeyStore debugging	None
`policy`	Loading and granting permissions with policy file	Set up the Policy File to Grant the Required Permissions (Controlling Applications) from The Java Tutorials Default Policy Implementation and Policy File Syntax
`provider`	Security provider debugging The following options can be used with the provider option: `engine=<engines>` : The output is displayed only for a specified list of JCA engines. The supported values for <engines> are: Cipher KeyAgreement KeyGenerator KeyPairGenerator KeyStore Mac MessageDigest SecureRandom Signature	Java Cryptography Architecture (JCA) Reference Guide
`scl`	Permissions that `SecureClassLoader` assigns	Permissions in the Java Development Kit (JDK)
`securerandom`	SecureRandom debugging	The SecureRandom Class
`sunpkcs11`	SunPKCS11 provider debugging	PKCS#11 Reference Guide
`ts`	Timestamping debugging	None