Infinite Tracing: Configuring SSL for Java 7 and 8

Infinite Tracing requires special configuration of Java Cryptographic Extensions (JCE) for certain older versions of Java. This document provides guidelines on how to configure Java in this case.

For security and performance, New Relic strongly recommends upgrading to the latest Java 8 update. For HotSpot-based JVMs, none of the steps below are required after 8u251.

When to configure Java Cryptography

You must follow this process if you meet ALL of the criteria below:

  • You are implementing Infinite Tracing
  • Your JVM does not support Application-Layer Protocol Negotiation (ALPN). New Relic has identified that these JVMs do not support ALPN and require configuration:
    • Oracle Java 7
    • Oracle Java 8 prior to update 251
    • OpenJDK Java 8 prior to update 252

      New Relic has only confirmed that the JVMs above lack ALPN support. You should confirm with your vendor if ALPN support is present in your JVM.

Application Server

If you use Tomcat, WebSphere, Weblogic, or another application server, refer to your application server's documentation about how to add a Java Cryptography Extension (JCE) in your application server.

Configure the export policy for Oracle JVMs

Older Oracle JVMs require an extra update to allow JCE. Consult this Oracle TechNote for downloads and instructions.

Configuring Conscrypt for HotSpot JVMs

New Relic has successfully tested OpenJDK Java 8 with Conscrypt. Complete the following:

  1. Download the appropriate Conscrypt jar for your operating system.
  2. Copy the Conscrypt jar to JAVA_HOME/jre/lib/ext. This directory should already exist, but if it doesn't, look for a directory named ext under JAVA_HOME.
  3. Edit the file JAVA_HOME/jre/lib/security/java.security .
  4. Under the lines that start with security.provider, increment the last number, and set the value to org.conscrypt.OpenSSLProvider. For example, if the last entry was security.provider.10, add this line:
    security.provider.11=org.conscrypt.OpenSSLProvider

Finish setting up Infinite Tracing

When you finish these preliminary configurations, return to Language agents: Enable distributed tracing to finish setting up Infinite Tracing.

For more help

If you need more help, check out these support and learning resources: