When running Java and XPages on Domino it is sometimes required to loosen up the Java security restrictions by editing the jvm/lib/security/java.policy file or by adding a java.pol file with the required changes.
But on HCL Domino 11.0 it is no longer supported to use a java.pol file since the java.security file in Domino 11.0 on longer includes a reference to a java.pol file. This (unfortunate) change is related to the move from the IBM JRE to the AdoptOpenJDK JRE.
In a future release of HCL Domino this could be re-introduced if HCL adds support for it in the java.security file. I have created an idea on re-adding support for it.
Thanks to Daniele Vistalli for pointing out that you can use the option to add a modified java.policy file to the home directory of the user running the Domino instance since the java.security file still includes this option:
policy.url.2=file:${user.home}/.java.policy
On my Windows Server the Domino service runs under the local system account and the home directory of the local system account is C:\Windows\System32\config\systemprofile. So by adding a modified .java.policy file to this directory, it does indeed work (notice that the file must be called .java.policy according to policy.url.2 in java.security).
Update January 2022:
As of Domino 12.0.1 support for java.pol is back. The java.security file now contains a reference to a java.pol in the same directory as the java.security/java.policy files:
policy.url.1=file:${java.home}/lib/security/java.policy
policy.url.2=file:${java.home}/lib/security/java.pol
policy.url.3=file:${user.home}/.java.policy
I checked what you noticed and I think we still have a way around it.
in java.security we have the following line
policy.url.2=file:${user.home}/.java.policy
This means that if you place your java.pol contnet in “.java.policy” file in the home directory of the user running domino/notes…. you’re safe & happy.
Is this a decent workaround ?
Hi Daniele, this is indeed a decent workaround.
On my Windows Server the Domino service runs under the local system account and the home directory of the local system account is C:\Windows\System32\config\systemprofile. So by adding a modified .java.policy file to this directory, it does indeed work (notice that the file must be called .java.policy according to policy.url.2 in java.security).
Great to hear it works. Btw I just voted your AHA Idea, having it managed the “right way” is the way to go.
You could also just add the missing policy.url.3=file:${java.home}/lib/security/java.pol in the java.security file
Hi Per, came across this by chance – and I’m so glad I did as this will definitely break some code at more than one customer’s site as soon as they’re ready to upgrade 🙁
Thanks for posting! I’ll try the workarounds asap