Skip to content

Add native access JVM flag for Bouncy Castle FIPS on newer Java releases#645

Merged
vharseko merged 1 commit into
OpenIdentityPlatform:masterfrom
vharseko:warn-bc
May 15, 2026
Merged

Add native access JVM flag for Bouncy Castle FIPS on newer Java releases#645
vharseko merged 1 commit into
OpenIdentityPlatform:masterfrom
vharseko:warn-bc

Conversation

@vharseko
Copy link
Copy Markdown
Member

@vharseko vharseko commented May 15, 2026

Summary

This change suppresses the Java restricted method warning emitted by Bouncy Castle FIPS when running OpenDJ on newer Java versions:

WARNING: A restricted method in java.lang.System has been called
WARNING: java.lang.System::load has been called by org.bouncycastle.crypto.fips.NativeLoader$1 in an unnamed module
WARNING: Use --enable-native-access=ALL-UNNAMED to avoid a warning for callers in this module
WARNING: Restricted methods will be blocked in a future release unless native access is enabled

The startup scripts now add --enable-native-access=ALL-UNNAMED automatically when the configured JVM supports it.

Changes

  • Updated Unix startup environment handling in opendj-server-legacy/resource/bin/_script-util.sh.
  • Updated Windows startup environment handling in opendj-server-legacy/resource/bin/_script-util.bat.
  • Added a JVM capability check before appending --enable-native-access=ALL-UNNAMED.
  • Avoided adding the flag twice if it is already present in OPENDJ_JAVA_ARGS.
  • Preserved compatibility with older JVMs by skipping the flag when java --enable-native-access=ALL-UNNAMED --version is not supported.

Why

Bouncy Castle FIPS loads native code through System.load. Recent Java releases warn about restricted native access and require explicit opt-in using --enable-native-access=ALL-UNNAMED for code running on the classpath / unnamed module.

Without this flag, OpenDJ startup can produce noisy warnings today, and future Java releases may block the operation unless native access is explicitly enabled.

Compatibility

The new argument is added only after a successful JVM feature probe. This keeps existing installations compatible with Java versions that do not recognize --enable-native-access.

Validation

Performed local validation for the Unix startup helper:

sh -n opendj-server-legacy/resource/bin/_script-util.sh
bash -n opendj-server-legacy/resource/bin/_script-util.sh

Also verified:

  • --enable-native-access=ALL-UNNAMED is appended when the JVM supports it.
  • The argument is not duplicated when already present in OPENDJ_JAVA_ARGS.
  • The argument is not appended when a JVM does not support it.

IDE inspection reported no new errors in the modified Windows batch file. Existing shellcheck-style warnings in _script-util.sh are unrelated to this change.

@vharseko vharseko requested a review from maximthomas May 15, 2026 12:58
@vharseko vharseko merged commit 9828ff5 into OpenIdentityPlatform:master May 15, 2026
17 checks passed
@vharseko vharseko deleted the warn-bc branch May 15, 2026 19:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maximthomas maximthomas maximthomas approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vharseko @maximthomas