diff --git a/src/java.base/share/classes/java/security/doc-files/debug-system-property.html b/src/java.base/share/classes/java/security/doc-files/debug-system-property.html
new file mode 100644
index 00000000000..4ea34252b3c
--- /dev/null
+++ b/src/java.base/share/classes/java/security/doc-files/debug-system-property.html
@@ -0,0 +1,193 @@
+<!doctype html>
+<!--
+ Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.
+ DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+
+ This code is free software; you can redistribute it and/or modify it
+ under the terms of the GNU General Public License version 2 only, as
+ published by the Free Software Foundation.  Oracle designates this
+ particular file as subject to the "Classpath" exception as provided
+ by Oracle in the LICENSE file that accompanied this code.
+
+ This code is distributed in the hope that it will be useful, but WITHOUT
+ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ version 2 for more details (a copy is included in the LICENSE file that
+ accompanied this code).
+
+ You should have received a copy of the GNU General Public License version
+ 2 along with this work; if not, write to the Free Software Foundation,
+ Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+
+ Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ or visit www.oracle.com if you need additional information or have any
+ questions.
+-->
+<html lang="en">
+<head>
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+    <title>The java.security.debug system property</title>
+    <style>
+        #debug {
+         border: 1px solid black;
+         border-collapse: collapse;
+         margin: 0 auto;
+        }
+        #debug caption {
+          font-weight: bold;
+          font-size: smaller;
+        }
+        #debug, #debug th, #debug td {
+         border: 1px solid black;
+         padding: 2px .5em;
+        }
+        #debug tbody th {
+         font-weight: normal;
+         text-align:left;
+        }
+    </style>
+</head>
+<body LANG="en-US" DIR="LTR">
+<h1><B>{@systemProperty java.security.debug}</B></h1>
+<p> To monitor security access, you can set the <code>java.security.debug</code>
+    system property, which determines what trace messages are printed during
+    execution. The value of the property is one or more options separated by a
+    comma.
+</p>
+
+<h2>Printing Thread and Timestamp Information</h2>
+<p>
+    You can append the following strings to any option specified in the
+    <code>java.security.debug</code> system property to print additional
+    information:
+<ul>
+    <li><code>+thread</code>: Print thread and caller information</li>
+    <li><code>+timestamp</code>: Print timestamp information</li>
+</ul>
+<p>
+    For example, to add thread, caller, and timestamp information to all
+    debugging output, set the <code>java.security.debug</code> system property
+    on the command line as follows:
+    <pre><code>java -Djava.security.debug=all+thread+timestamp MyApp</code></pre>
+
+<p>The following table lists the <code>java.security.debug</code> options:</p>
+
+<table id="debug">
+    <caption><b>Security Debug Options</b></caption>
+    <thead>
+    <tr>
+        <th scope="col">Option</th>
+        <th scope="col">Description</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr>
+        <th scope="row"><code>all</code></th>
+        <td>Turn on all the debugging options</td>
+    </tr>
+    <tr>
+        <th scope="row"><code>certpath</code></th>
+        <td>Turns on debugging for the PKIX <code>CertPathValidator</code> and
+            <code>CertPathBuilder</code> implementations. The following sub-options
+            can be used with the <code>certpath</code> option:
+            <ul>
+                <li><code><b>ocsp</b></code>: Dump OCSP protocol exchanges</li>
+                <li><code><b>verbose</b></code>: A hexadecimal dump of the OCSP
+                    request and response bytes is displayed.</li>
+            </ul>
+        </td>
+    </tr>
+    <tr>
+        <th scope="row"><code>configfile</code></th>
+        <td>JAAS (Java Authentication and Authorization Service) configuration file loading</td>
+    </tr>
+    <tr>
+        <th scope="row"><code>configparser</code></th>
+        <td>JAAS configuration file parsing</td>
+    </tr>
+    <tr>
+        <th scope="row"><code>gssloginconfig</code></th>
+        <td>Java GSS (Generic Security Services) login configuration file debugging</td>
+    </tr>
+    <tr>
+        <th scope="row"><code>jar</code></th>
+        <td>JAR file verification</td>
+    </tr>
+    <tr>
+        <th scope="row"><code>jca</code></th>
+        <td>JCA engine class debugging</td>
+    </tr>
+    <tr>
+        <th scope="row"><code>KeyStore</code></th>
+        <td><code>KeyStore</code> debugging</td>
+    </tr>
+    <tr>
+        <th scope="row"><code>logincontext</code></th>
+        <td><code>LoginContext</code> results</td>
+    </tr>
+    <tr>
+        <th scope="row"><code>pcsc</code></th>
+        <td>Java Smart Card I/O and SunPCSC provider debugging</td>
+    </tr>
+    <tr>
+        <th scope="row"><code>pkcs11</code></th>
+        <td>PKCS11 session manager debugging</td>
+    </tr>
+    <tr>
+        <th scope="row"><code>pkcs11keystore</code></th>
+        <td>PKCS11 <code>KeyStore</code> debugging</td>
+    </tr>
+    <tr>
+        <th scope="row"><code>pkcs12</code></th>
+        <td>PKCS12 <code>KeyStore</code> debugging</td>
+    </tr>
+    <tr>
+        <th scope="row"><code>properties</code></th>
+        <td><code>java.security</code> configuration file debugging</td>
+    </tr>
+    <tr>
+        <th scope="row"><code>provider</code></th>
+        <td>Security provider debugging. The following sub-option can be used
+            with the <code>provider</code> option: <code>engine=(engines)</code>
+            : The output is displayed only for a specified list of one or more JCA
+            engines, separated by a comma. The supported values for (engines) are:
+            <ul>
+                <li><code>Cipher</code></li>
+                <li><code>KDF</code></li>
+                <li><code>KeyAgreement</code></li>
+                <li><code>KeyGenerator</code></li>
+                <li><code>KeyPairGenerator</code></li>
+                <li><code>KeyStore</code></li>
+                <li><code>Mac</code></li>
+                <li><code>MessageDigest</code></li>
+                <li><code>SecureRandom</code></li>
+                <li><code>Signature</code></li>
+            </ul>
+        </td>
+    </tr>
+    <tr>
+        <th scope="row"><code>securerandom</code></th>
+        <td><code>SecureRandom</code> debugging</td>
+    </tr>
+    <tr>
+        <th scope="row"><code>sunpkcs11</code></th>
+        <td>SunPKCS11 provider debugging</td>
+    </tr>
+    <tr>
+        <th scope="row"><code>ts</code></th>
+        <td>Timestamping debugging</td>
+    </tr>
+    <tr>
+        <th scope="row"><code>x509</code></th>
+        <td>X.509 certificate debugging. The following sub-option can be used
+            with the <code>X.509</code> option.
+            <ul>
+                <li><code><b>ava</b></code>: Embed non-printable/non-escaped
+                    characters in AVA components as hex strings</li>
+            </ul>
+        </td>
+    </tr>
+    </tbody>
+</table>
+</body>
+</html>
diff --git a/src/java.base/share/classes/java/security/package-info.java b/src/java.base/share/classes/java/security/package-info.java
index b887d5c17a3..fafdca73801 100644
--- a/src/java.base/share/classes/java/security/package-info.java
+++ b/src/java.base/share/classes/java/security/package-info.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -71,6 +71,12 @@
  *
  * </ul>
  *
+ * <h2>Additional Specification</h2>
+ * <ul>
+ *   <li><a href="doc-files/debug-system-property.html">
+ *     The {@code java.security.debug} System Property</a></li>
+ * </ul>
+ *
  * @spec security/standard-names.html Java Security Standard Algorithm Names
  * @since 1.1
  */

Option	Description
`all`	Turn on all the debugging options
`certpath`	Turns on debugging for the PKIX `CertPathValidator` and + `CertPathBuilder` implementations. The following sub-options + can be used with the `certpath` option: + + `ocsp`: Dump OCSP protocol exchanges + `verbose`: A hexadecimal dump of the OCSP + request and response bytes is displayed. + +
`configfile`	JAAS (Java Authentication and Authorization Service) configuration file loading
`configparser`	JAAS configuration file parsing
`gssloginconfig`	Java GSS (Generic Security Services) login configuration file debugging
`jar`	JAR file verification
`jca`	JCA engine class debugging
`KeyStore`	`KeyStore` debugging
`logincontext`	`LoginContext` results
`pcsc`	Java Smart Card I/O and SunPCSC provider debugging
`pkcs11`	PKCS11 session manager debugging
`pkcs11keystore`	PKCS11 `KeyStore` debugging
`pkcs12`	PKCS12 `KeyStore` debugging
`properties`	`java.security` configuration file debugging
`provider`	Security provider debugging. The following sub-option can be used + with the `provider` option: `engine=(engines)` + : The output is displayed only for a specified list of one or more JCA + engines, separated by a comma. The supported values for (engines) are: + + `Cipher` + `KDF` + `KeyAgreement` + `KeyGenerator` + `KeyPairGenerator` + `KeyStore` + `Mac` + `MessageDigest` + `SecureRandom` + `Signature` + +
`securerandom`	`SecureRandom` debugging
`sunpkcs11`	SunPKCS11 provider debugging
`ts`	Timestamping debugging
`x509`	X.509 certificate debugging. The following sub-option can be used + with the `X.509` option. + + `ava`: Embed non-printable/non-escaped + characters in AVA components as hex strings + +