diff --git a/common/autoconf/configure.ac b/common/autoconf/configure.ac

index 151e5a109f8..a8761b500e0 100644

--- a/common/autoconf/configure.ac

+++ b/common/autoconf/configure.ac

@@ -212,6 +212,7 @@ LIB_SETUP_FREETYPE

 LIB_SETUP_ALSA

 LIB_SETUP_FONTCONFIG

 LIB_SETUP_MISC_LIBS

+LIB_SETUP_SYSCONF_LIBS

 LIB_SETUP_STATIC_LINK_LIBSTDCPP

 LIB_SETUP_ON_WINDOWS

diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh

index e77ce854dc5..ec6e9b27ca5 100644

--- a/common/autoconf/generated-configure.sh

+++ b/common/autoconf/generated-configure.sh

@@ -651,6 +651,9 @@ LLVM_CONFIG

 LIBFFI_LIBS

 LIBFFI_CFLAGS

 STATIC_CXX_SETTING

+USE_SYSCONF_NSS

+NSS_LIBS

+NSS_CFLAGS

 LIBDL

 LIBM

 LIBZIP_CAN_USE_MMAP

@@ -1111,6 +1114,7 @@ with_fontconfig

 with_fontconfig_include

 with_giflib

 with_zlib

+enable_sysconf_nss

 with_stdc__lib

 with_msvcr_dll

 with_msvcp_dll

@@ -1218,6 +1222,8 @@ FREETYPE_CFLAGS

 FREETYPE_LIBS

 ALSA_CFLAGS

 ALSA_LIBS

+NSS_CFLAGS

+NSS_LIBS

 LIBFFI_CFLAGS

 LIBFFI_LIBS

 CCACHE'

@@ -1871,6 +1877,8 @@ Optional Features:

                           disable bundling of the freetype library with the

                           build result [enabled on Windows or when using

                           --with-freetype, disabled otherwise]

+  --enable-sysconf-nss    build the System Configurator (libsysconf) using the

+                          system NSS library if available [disabled]

   --enable-sjavac         use sjavac to do fast incremental compiles

                           [disabled]

   --disable-precompiled-headers

@@ -2115,6 +2123,8 @@ Some influential environment variables:

               linker flags for FREETYPE, overriding pkg-config

   ALSA_CFLAGS C compiler flags for ALSA, overriding pkg-config

   ALSA_LIBS   linker flags for ALSA, overriding pkg-config

+  NSS_CFLAGS  C compiler flags for NSS, overriding pkg-config

+  NSS_LIBS    linker flags for NSS, overriding pkg-config

   LIBFFI_CFLAGS

               C compiler flags for LIBFFI, overriding pkg-config

   LIBFFI_LIBS linker flags for LIBFFI, overriding pkg-config

@@ -2879,6 +2889,52 @@ $as_echo "$ac_res" >&6; }

   eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno

 } # ac_fn_c_check_header_compile

+

+# ac_fn_c_try_link LINENO

+# -----------------------

+# Try to link conftest.$ac_ext, and return whether this succeeded.

+ac_fn_c_try_link ()

+{

+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack

+  rm -f conftest.$ac_objext conftest$ac_exeext

+  if { { ac_try="$ac_link"

+case "(($ac_try" in

+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;

+  *) ac_try_echo=$ac_try;;

+esac

+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""

+$as_echo "$ac_try_echo"; } >&5

+  (eval "$ac_link") 2>conftest.err

+  ac_status=$?

+  if test -s conftest.err; then

+    grep -v '^ *+' conftest.err >conftest.er1

+    cat conftest.er1 >&5

+    mv -f conftest.er1 conftest.err

+  fi

+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5

+  test $ac_status = 0; } && {

+	 test -z "$ac_c_werror_flag" ||

+	 test ! -s conftest.err

+       } && test -s conftest$ac_exeext && {

+	 test "$cross_compiling" = yes ||

+	 test -x conftest$ac_exeext

+       }; then :

+  ac_retval=0

+else

+  $as_echo "$as_me: failed program was:" >&5

+sed 's/^/| /' conftest.$ac_ext >&5

+

+	ac_retval=1

+fi

+  # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information

+  # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would

+  # interfere with the next link command; also delete a directory that is

+  # left behind by Apple's compiler.  We do this before executing the actions.

+  rm -rf conftest.dSYM conftest_ipa8_conftest.oo

+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno

+  as_fn_set_status $ac_retval

+

+} # ac_fn_c_try_link

 cat >config.log <<_ACEOF

 This file contains any messages produced by compilers while

 running configure, to aid debugging if configure makes a mistake.

@@ -4049,6 +4105,11 @@ fi

+################################################################################

+# Setup system configuration libraries

+################################################################################

+

+

 #

 # Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.

 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

@@ -49290,6 +49351,157 @@ fi

   LIBS="$save_LIBS"

+  ###############################################################################

+  #

+  # Check for the NSS library

+  #

+

+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use the system NSS library with the System Configurator (libsysconf)" >&5

+$as_echo_n "checking whether to use the system NSS library with the System Configurator (libsysconf)... " >&6; }

+

+  # default is not available

+  DEFAULT_SYSCONF_NSS=no

+

+  # Check whether --enable-sysconf-nss was given.

+if test "${enable_sysconf_nss+set}" = set; then :

+  enableval=$enable_sysconf_nss;

+    case "${enableval}" in

+      yes)

+        sysconf_nss=yes

+        ;;

+      *)

+        sysconf_nss=no

+        ;;

+    esac

+

+else

+

+    sysconf_nss=${DEFAULT_SYSCONF_NSS}

+

+fi

+

+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sysconf_nss" >&5

+$as_echo "$sysconf_nss" >&6; }

+

+  USE_SYSCONF_NSS=false

+  if test "x${sysconf_nss}" = "xyes"; then

+

+pkg_failed=no

+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for NSS" >&5

+$as_echo_n "checking for NSS... " >&6; }

+

+if test -n "$NSS_CFLAGS"; then

+    pkg_cv_NSS_CFLAGS="$NSS_CFLAGS"

+ elif test -n "$PKG_CONFIG"; then

+    if test -n "$PKG_CONFIG" && \

+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5

+  ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5

+  ac_status=$?

+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5

+  test $ac_status = 0; }; then

+  pkg_cv_NSS_CFLAGS=`$PKG_CONFIG --cflags "nss >= 3.53" 2>/dev/null`

+else

+  pkg_failed=yes

+fi

+ else

+    pkg_failed=untried

+fi

+if test -n "$NSS_LIBS"; then

+    pkg_cv_NSS_LIBS="$NSS_LIBS"

+ elif test -n "$PKG_CONFIG"; then

+    if test -n "$PKG_CONFIG" && \

+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5

+  ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5

+  ac_status=$?

+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5

+  test $ac_status = 0; }; then

+  pkg_cv_NSS_LIBS=`$PKG_CONFIG --libs "nss >= 3.53" 2>/dev/null`

+else

+  pkg_failed=yes

+fi

+ else

+    pkg_failed=untried

+fi

+

+

+

+if test $pkg_failed = yes; then

+

+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then

+        _pkg_short_errors_supported=yes

+else

+        _pkg_short_errors_supported=no

+fi

+        if test $_pkg_short_errors_supported = yes; then

+	        NSS_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "nss >= 3.53" 2>&1`

+        else

+	        NSS_PKG_ERRORS=`$PKG_CONFIG --print-errors "nss >= 3.53" 2>&1`

+        fi

+	# Put the nasty error message in config.log where it belongs

+	echo "$NSS_PKG_ERRORS" >&5

+

+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5

+$as_echo "no" >&6; }

+                NSS_FOUND=no

+elif test $pkg_failed = untried; then

+	NSS_FOUND=no

+else

+	NSS_CFLAGS=$pkg_cv_NSS_CFLAGS

+	NSS_LIBS=$pkg_cv_NSS_LIBS

+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5

+$as_echo "yes" >&6; }

+	NSS_FOUND=yes

+fi

+      if test "x${NSS_FOUND}" = "xyes"; then

+         { $as_echo "$as_me:${as_lineno-$LINENO}: checking for system FIPS support in NSS" >&5

+$as_echo_n "checking for system FIPS support in NSS... " >&6; }

+         saved_libs="${LIBS}"

+         saved_cflags="${CFLAGS}"

+         CFLAGS="${CFLAGS} ${NSS_CFLAGS}"

+         LIBS="${LIBS} ${NSS_LIBS}"

+         ac_ext=c

+ac_cpp='$CPP $CPPFLAGS'

+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'

+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'

+ac_compiler_gnu=$ac_cv_c_compiler_gnu

+

+         cat confdefs.h - <<_ACEOF >conftest.$ac_ext

+/* end confdefs.h.  */

+#include <nss3/pk11pub.h>

+int

+main ()

+{

+SECMOD_GetSystemFIPSEnabled()

+  ;

+  return 0;

+}

+_ACEOF

+if ac_fn_c_try_link "$LINENO"; then :

+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5

+$as_echo "yes" >&6; }

+else

+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5

+$as_echo "no" >&6; }

+                        as_fn_error $? "System NSS FIPS detection unavailable" "$LINENO" 5

+fi

+rm -f core conftest.err conftest.$ac_objext \

+    conftest$ac_exeext conftest.$ac_ext

+         ac_ext=cpp

+ac_cpp='$CXXCPP $CPPFLAGS'

+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'

+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'

+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu

+

+         CFLAGS="${saved_cflags}"

+         LIBS="${saved_libs}"

+         USE_SYSCONF_NSS=true

+      else

+                           as_fn_error $? "--enable-sysconf-nss specified, but NSS 3.53 or above not found." "$LINENO" 5

+      fi

+  fi

+

+

+

   ###############################################################################

   #

   # statically link libstdc++ before C++ ABI is stablized on Linux unless

diff --git a/common/autoconf/libraries.m4 b/common/autoconf/libraries.m4

index 6efae578ea9..0080846255b 100644

--- a/common/autoconf/libraries.m4

+++ b/common/autoconf/libraries.m4

@@ -1067,3 +1067,63 @@ AC_DEFUN_ONCE([LIB_SETUP_ON_WINDOWS],

     BASIC_DEPRECATED_ARG_WITH([dxsdk-include])

   fi

 ])

+

+################################################################################

+# Setup system configuration libraries

+################################################################################

+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],

+[

+  ###############################################################################

+  #

+  # Check for the NSS library

+  #

+

+  AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])

+

+  # default is not available

+  DEFAULT_SYSCONF_NSS=no

+

+  AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],

+     [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],

+  [

+    case "${enableval}" in

+      yes)

+        sysconf_nss=yes

+        ;;

+      *)

+        sysconf_nss=no

+        ;;

+    esac

+  ],

+  [

+    sysconf_nss=${DEFAULT_SYSCONF_NSS}

+  ])

+  AC_MSG_RESULT([$sysconf_nss])

+

+  USE_SYSCONF_NSS=false

+  if test "x${sysconf_nss}" = "xyes"; then

+      PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])

+      if test "x${NSS_FOUND}" = "xyes"; then

+         AC_MSG_CHECKING([for system FIPS support in NSS])

+         saved_libs="${LIBS}"

+         saved_cflags="${CFLAGS}"

+         CFLAGS="${CFLAGS} ${NSS_CFLAGS}"

+         LIBS="${LIBS} ${NSS_LIBS}"

+         AC_LANG_PUSH([C])

+         AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],

+                                         [[SECMOD_GetSystemFIPSEnabled()]])],

+                        [AC_MSG_RESULT([yes])],

+                        [AC_MSG_RESULT([no])

+                        AC_MSG_ERROR([System NSS FIPS detection unavailable])])

+         AC_LANG_POP([C])

+         CFLAGS="${saved_cflags}"

+         LIBS="${saved_libs}"

+         USE_SYSCONF_NSS=true

+      else

+         dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API

+         dnl in nss3/pk11pub.h.

+         AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])

+      fi

+  fi

+  AC_SUBST(USE_SYSCONF_NSS)

+])

diff --git a/common/autoconf/spec.gmk.in b/common/autoconf/spec.gmk.in

index 506cf617087..7241593b1a4 100644

--- a/common/autoconf/spec.gmk.in

+++ b/common/autoconf/spec.gmk.in

@@ -312,6 +312,10 @@ CUPS_CFLAGS:=@CUPS_CFLAGS@

 ALSA_LIBS:=@ALSA_LIBS@

 ALSA_CFLAGS:=@ALSA_CFLAGS@

+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@

+NSS_LIBS:=@NSS_LIBS@

+NSS_CFLAGS:=@NSS_CFLAGS@

+

 PACKAGE_PATH=@PACKAGE_PATH@

 # Source file for cacerts

diff --git a/common/bin/compare_exceptions.sh.incl b/common/bin/compare_exceptions.sh.incl

index 3b79a526f56..d2a0e39b206 100644

--- a/common/bin/compare_exceptions.sh.incl

+++ b/common/bin/compare_exceptions.sh.incl

@@ -280,6 +280,7 @@ ACCEPTED_SMALL_SIZE_DIFF="

 ./jre/lib/i386/libsplashscreen.so

 ./jre/lib/i386/libsunec.so

 ./jre/lib/i386/libsunwjdga.so

+./jre/lib/i386/libsystemconf.so

 ./jre/lib/i386/libt2k.so

 ./jre/lib/i386/libunpack.so

 ./jre/lib/i386/libverify.so

@@ -433,6 +434,7 @@ ACCEPTED_SMALL_SIZE_DIFF="

 ./jre/lib/amd64/libsplashscreen.so

 ./jre/lib/amd64/libsunec.so

 ./jre/lib/amd64/libsunwjdga.so

+//jre/lib/amd64/libsystemconf.so

 ./jre/lib/amd64/libt2k.so

 ./jre/lib/amd64/libunpack.so

 ./jre/lib/amd64/libverify.so

@@ -587,6 +589,7 @@ ACCEPTED_SMALL_SIZE_DIFF="

 ./jre/lib/sparc/libsplashscreen.so

 ./jre/lib/sparc/libsunec.so

 ./jre/lib/sparc/libsunwjdga.so

+./jre/lib/sparc/libsystemconf.so

 ./jre/lib/sparc/libt2k.so

 ./jre/lib/sparc/libunpack.so

 ./jre/lib/sparc/libverify.so

@@ -741,6 +744,7 @@ ACCEPTED_SMALL_SIZE_DIFF="

 ./jre/lib/sparcv9/libsplashscreen.so

 ./jre/lib/sparcv9/libsunec.so

 ./jre/lib/sparcv9/libsunwjdga.so

+./jre/lib/sparcv9/libsystemconf.so

 ./jre/lib/sparcv9/libt2k.so

 ./jre/lib/sparcv9/libunpack.so

 ./jre/lib/sparcv9/libverify.so

diff --git a/common/nb_native/nbproject/configurations.xml b/common/nb_native/nbproject/configurations.xml

index d2beed0b93a..3b6aef98d9a 100644

--- a/common/nb_native/nbproject/configurations.xml

+++ b/common/nb_native/nbproject/configurations.xml

@@ -53,6 +53,9 @@

                   <in>jvmtiEnterTrace.cpp</in>

                 </df>

               </df>

+              <df name="libsystemconf">

+                <in>systemconf.c</in>

+              </df>

             </df>

           </df>

           <df name="jdk">

@@ -12772,6 +12775,11 @@

             tool="0"

             flavor2="0">

       </item>

+      

+            ex="false"

+            tool="0"

+            flavor2="0">

+      </item>

             ex="false"

             tool="0"

diff --git a/jdk/make/lib/SecurityLibraries.gmk b/jdk/make/lib/SecurityLibraries.gmk

index b0b85d80448..47a41d7518d 100644

--- a/jdk/make/lib/SecurityLibraries.gmk

+++ b/jdk/make/lib/SecurityLibraries.gmk

@@ -289,3 +289,34 @@ ifeq ($(OPENJDK_TARGET_OS), solaris)

   endif

 endif

+

+################################################################################

+# Create the systemconf library

+

+LIBSYSTEMCONF_CFLAGS :=

+LIBSYSTEMCONF_CXXFLAGS :=

+

+ifeq ($(USE_SYSCONF_NSS), true)

+  LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS

+  LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS

+endif

+

+ifeq ($(OPENJDK_BUILD_OS), linux)

+  $(eval $(call SetupNativeCompilation,BUILD_LIBSYSTEMCONF, \

+      LIBRARY := systemconf, \

+      OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \

+      SRC := $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/native/java/security, \

+      LANG := C, \

+      OPTIMIZATION := LOW, \

+      CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \

+      CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \

+      MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libsystemconf/mapfile-vers, \

+      LDFLAGS := $(LDFLAGS_JDKLIB) \

+          $(call SET_SHARED_LIBRARY_ORIGIN), \

+      LDFLAGS_SUFFIX := $(LIBDL) $(NSS_LIBS), \

+      OBJECT_DIR := $(JDK_OUTPUTDIR)/objs/libsystemconf, \

+      DEBUG_SYMBOLS := $(DEBUG_ALL_BINARIES)))

+

+  BUILD_LIBRARIES += $(BUILD_LIBSYSTEMCONF)

+endif

+

diff --git a/jdk/make/mapfiles/libsystemconf/mapfile-vers b/jdk/make/mapfiles/libsystemconf/mapfile-vers

new file mode 100644

index 00000000000..a65ceb3b78c

--- /dev/null

+++ b/jdk/make/mapfiles/libsystemconf/mapfile-vers

@@ -0,0 +1,35 @@

+#

+# Copyright (c) 2021, Red Hat, Inc.

+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

+#

+# This code is free software; you can redistribute it and/or modify it

+# under the terms of the GNU General Public License version 2 only, as

+# published by the Free Software Foundation.  Oracle designates this

+# particular file as subject to the "Classpath" exception as provided

+# by Oracle in the LICENSE file that accompanied this code.

+#

+# This code is distributed in the hope that it will be useful, but WITHOUT

+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

+# version 2 for more details (a copy is included in the LICENSE file that

+# accompanied this code).

+#

+# You should have received a copy of the GNU General Public License version

+# 2 along with this work; if not, write to the Free Software Foundation,

+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

+#

+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

+# or visit www.oracle.com if you need additional information or have any

+# questions.

+#

+

+# Define public interface.

+

+SUNWprivate_1.1 {

+	global:

+		DEF_JNI_OnLoad;

+		DEF_JNI_OnUnLoad;

+		Java_java_security_SystemConfigurator_getSystemFIPSEnabled;

+	local:

+		*;

+};

diff --git a/jdk/src/share/classes/java/security/Security.java b/jdk/src/share/classes/java/security/Security.java

index 0db09da7061..813b907db3e 100644

--- a/jdk/src/share/classes/java/security/Security.java

+++ b/jdk/src/share/classes/java/security/Security.java

@@ -30,6 +30,8 @@ import java.util.*;

 import java.util.concurrent.ConcurrentHashMap;

 import java.io.*;

 import java.net.URL;

+import sun.misc.SharedSecrets;

+import sun.misc.JavaSecuritySystemConfiguratorAccess;

 import sun.security.util.Debug;

 import sun.security.util.PropertyExpander;

@@ -43,11 +45,19 @@ import sun.security.jca.*;

  * implementation-specific location, which is typically the properties file

  * {@code lib/security/java.security} in the Java installation directory.

  *

+ * 
Additional default values of security properties are read from a

+ * system-specific location, if available.

+ *

  * @author Benjamin Renaud

  */

 public final class Security {

+    private static final String SYS_PROP_SWITCH =

+        "java.security.disableSystemPropertiesFile";

+    private static final String SEC_PROP_SWITCH =

+        "security.useSystemPropertiesFile";

+

     /* Are we debugging? -- for developers */

     private static final Debug sdebug =

                         Debug.getInstance("properties");

@@ -62,6 +72,19 @@ public final class Security {

     }

     static {

+        // Initialise here as used by code with system properties disabled

+        SharedSecrets.setJavaSecuritySystemConfiguratorAccess(

+            new JavaSecuritySystemConfiguratorAccess() {

+                @Override

+                public boolean isSystemFipsEnabled() {

+                    return SystemConfigurator.isSystemFipsEnabled();

+                }

+                @Override

+                public boolean isPlainKeySupportEnabled() {

+                    return SystemConfigurator.isPlainKeySupportEnabled();

+                }

+            });

+

         // doPrivileged here because there are multiple

         // things in initialize that might require privs.

         // (the FileInputStream call and the File.exists call,

@@ -78,6 +101,7 @@ public final class Security {

         props = new Properties();

         boolean loadedProps = false;

         boolean overrideAll = false;

+        boolean systemSecPropsEnabled = false;

         // first load the system properties file

         // to determine the value of security.overridePropertiesFile

@@ -93,6 +117,7 @@ public final class Security {

                 if (sdebug != null) {

                     sdebug.println("reading security properties file: " +

                                 propFile);

+                    sdebug.println(props.toString());

                 }

             } catch (IOException e) {

                 if (sdebug != null) {

@@ -187,6 +212,61 @@ public final class Security {

             }

         }

+        boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));

+        boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));

+        if (sdebug != null) {

+            sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps);

+            sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps);

+        }

+        if (!sysUseProps && secUseProps) {

+            systemSecPropsEnabled = SystemConfigurator.configureSysProps(props);

+            if (!systemSecPropsEnabled) {

+                if (sdebug != null) {

+                    sdebug.println("WARNING: System security properties could not be loaded.");

+                }

+            }

+        } else {

+            if (sdebug != null) {

+                sdebug.println("System security property support disabled by user.");

+            }

+        }

+

+        // FIPS support depends on the contents of java.security so

+        // ensure it has loaded first

+        if (loadedProps && systemSecPropsEnabled) {

+            boolean shouldEnable;

+            String sysProp = System.getProperty("com.redhat.fips");

+            if (sysProp == null) {

+                shouldEnable = true;

+                if (sdebug != null) {

+                    sdebug.println("com.redhat.fips unset, using default value of true");

+                }

+            } else {

+                shouldEnable = Boolean.valueOf(sysProp);

+                if (sdebug != null) {

+                    sdebug.println("com.redhat.fips set, using its value " + shouldEnable);

+                }

+             }

+            if (shouldEnable) {

+                boolean fipsEnabled = SystemConfigurator.configureFIPS(props);

+                if (sdebug != null) {

+                    if (fipsEnabled) {

+                        sdebug.println("FIPS mode support configured and enabled.");

+                    } else {

+                        sdebug.println("FIPS mode support disabled.");

+                    }

+                }

+            } else {

+                if (sdebug != null ) {

+                    sdebug.println("FIPS mode support disabled by user.");

+                }

+            }

+        } else {

+            if (sdebug != null) {

+                sdebug.println("WARNING: FIPS mode support can not be enabled without " +

+                               "system security properties being enabled.");

+            }

+        }

     }

     /*

diff --git a/jdk/src/share/classes/java/security/SystemConfigurator.java b/jdk/src/share/classes/java/security/SystemConfigurator.java

new file mode 100644

index 00000000000..a24a0445db2

--- /dev/null

+++ b/jdk/src/share/classes/java/security/SystemConfigurator.java

@@ -0,0 +1,248 @@

+/*

+ * Copyright (c) 2019, 2021, Red Hat, Inc.

+ *

+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

+ *

+ * This code is free software; you can redistribute it and/or modify it

+ * under the terms of the GNU General Public License version 2 only, as

+ * published by the Free Software Foundation.  Oracle designates this

+ * particular file as subject to the "Classpath" exception as provided

+ * by Oracle in the LICENSE file that accompanied this code.

+ *

+ * This code is distributed in the hope that it will be useful, but WITHOUT

+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

+ * version 2 for more details (a copy is included in the LICENSE file that

+ * accompanied this code).

+ *

+ * You should have received a copy of the GNU General Public License version

+ * 2 along with this work; if not, write to the Free Software Foundation,

+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

+ *

+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

+ * or visit www.oracle.com if you need additional information or have any

+ * questions.

+ */

+

+package java.security;

+

+import java.io.BufferedInputStream;

+import java.io.FileInputStream;

+import java.io.IOException;

+

+import java.util.Iterator;

+import java.util.Map.Entry;

+import java.util.Properties;

+

+import sun.security.util.Debug;

+

+/**

+ * Internal class to align OpenJDK with global crypto-policies.

+ * Called from java.security.Security class initialization,

+ * during startup.

+ *

+ */

+

+final class SystemConfigurator {

+

+    private static final Debug sdebug =

+            Debug.getInstance("properties");

+

+    private static final String CRYPTO_POLICIES_BASE_DIR =

+            "/etc/crypto-policies";

+

+    private static final String CRYPTO_POLICIES_JAVA_CONFIG =

+            CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";

+

+    private static boolean systemFipsEnabled = false;

+    private static boolean plainKeySupportEnabled = false;

+

+    private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";

+

+    private static native boolean getSystemFIPSEnabled()

+            throws IOException;

+

+    static {

+        AccessController.doPrivileged(new PrivilegedAction<Void>() {

+            public Void run() {

+                System.loadLibrary(SYSTEMCONF_NATIVE_LIB);

+                return null;

+            }

+        });

+    }

+