java.security-macosx revision 6151
7639aa8b39e0d9dbd096f9cc3379bcd3d5e4003bstriker#
8dc5aa056a586ffa920a6ecd5c31048702371ea6brianp# This is the "master security properties file".
e8e8ab3cbc3d90f15eb78e094c381a6e908fd6efjerenkrantz#
e8e8ab3cbc3d90f15eb78e094c381a6e908fd6efjerenkrantz# In this file, various security properties are set for use by
e8e8ab3cbc3d90f15eb78e094c381a6e908fd6efjerenkrantz# java.security classes. This is where users can statically register
f4c472b8dce3c2e559232dbb5b27ed2466922ea4jerenkrantz# Cryptography Package Providers ("providers" for short). The term
f4c472b8dce3c2e559232dbb5b27ed2466922ea4jerenkrantz# "provider" refers to a package or set of packages that supply a
8dc5aa056a586ffa920a6ecd5c31048702371ea6brianp# concrete implementation of a subset of the cryptography aspects of
8dc5aa056a586ffa920a6ecd5c31048702371ea6brianp# the Java Security API. A provider may, for example, implement one or
8dc5aa056a586ffa920a6ecd5c31048702371ea6brianp# more digital signature algorithms or message digest algorithms.
7e31ef4870c7ef94838585004405e8854fefcc51ianh#
7e31ef4870c7ef94838585004405e8854fefcc51ianh# Each provider must implement a subclass of the Provider class.
7e31ef4870c7ef94838585004405e8854fefcc51ianh# To register a provider in this master security properties file,
7e31ef4870c7ef94838585004405e8854fefcc51ianh# specify the Provider subclass name and priority in the format
7e31ef4870c7ef94838585004405e8854fefcc51ianh#
bd496a3a7752a55c849e62ed00cacc492d4f6d3erederpj# security.provider.<n>=<className>
bd496a3a7752a55c849e62ed00cacc492d4f6d3erederpj#
bd496a3a7752a55c849e62ed00cacc492d4f6d3erederpj# This declares a provider, and specifies its preference
bd496a3a7752a55c849e62ed00cacc492d4f6d3erederpj# order n. The preference order is the order in which providers are
bd496a3a7752a55c849e62ed00cacc492d4f6d3erederpj# searched for requested algorithms (when no specific provider is
a8c401eadf77822e851f19c7740e7ec6dca03daastoddard# requested). The order is 1-based; 1 is the most preferred, followed
a8c401eadf77822e851f19c7740e7ec6dca03daastoddard# by 2, and so on.
a8c401eadf77822e851f19c7740e7ec6dca03daastoddard#
a8c401eadf77822e851f19c7740e7ec6dca03daastoddard# <className> must specify the subclass of the Provider class whose
93d7153aa172665f55b04463b831ad556269c3efbrianp# constructor sets the values of various properties that are required
791781f2ccc1f1f1bc1b1643861d3da23edfd147jerenkrantz# for the Java Security API to look up the algorithms or other
791781f2ccc1f1f1bc1b1643861d3da23edfd147jerenkrantz# facilities implemented by the provider.
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz#
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz# There must be at least one provider specification in java.security.
b4a287513d176e4355dd56ea47b27228e0e5d75fjerenkrantz# There is a default provider that comes standard with the JDK. It
2ffa5829cad36f12b0a1fc3481592e85bc210a5bjerenkrantz# is called the "SUN" provider, and its Provider subclass
2ffa5829cad36f12b0a1fc3481592e85bc210a5bjerenkrantz# named Sun appears in the sun.security.provider package. Thus, the
2ffa5829cad36f12b0a1fc3481592e85bc210a5bjerenkrantz# "SUN" provider is registered via the following:
02e8590d904653a95eca31bdf8e60866642bb592slive#
02e8590d904653a95eca31bdf8e60866642bb592slive# security.provider.1=sun.security.provider.Sun
30a5ee06ae5f7f67a83d6852871f654ae3e14aadslive#
02e8590d904653a95eca31bdf8e60866642bb592slive# (The number 1 is used for the default provider.)
a97c4ce2bea3dbf8ddc82c796cf93aa6b46765a4brianp#
a97c4ce2bea3dbf8ddc82c796cf93aa6b46765a4brianp# Note: Providers can be dynamically registered instead by calls to
a97c4ce2bea3dbf8ddc82c796cf93aa6b46765a4brianp# either the addProvider or insertProviderAt method in the Security
b7838ae85a698af19d90ba4ebe03e10bdc149eacjerenkrantz# class.
b7838ae85a698af19d90ba4ebe03e10bdc149eacjerenkrantz
435d2db95b905b0d16d35410e18ff77dc39688aabrianp#
435d2db95b905b0d16d35410e18ff77dc39688aabrianp# List of providers and their preference orders (see above):
435d2db95b905b0d16d35410e18ff77dc39688aabrianp#
1a7728c0205d607d5d87c6b6bf1b8837a9785a99ianhsecurity.provider.1=sun.security.provider.Sun
a574815e2c6db68b9d8139db89921ededf033decianhsecurity.provider.2=sun.security.rsa.SunRsaSign
a574815e2c6db68b9d8139db89921ededf033decianhsecurity.provider.3=sun.security.ec.SunEC
964f539e766a3301b3e2f767baeffddcf9f6092bjerenkrantzsecurity.provider.4=com.sun.net.ssl.internal.ssl.Provider
964f539e766a3301b3e2f767baeffddcf9f6092bjerenkrantzsecurity.provider.5=com.sun.crypto.provider.SunJCE
964f539e766a3301b3e2f767baeffddcf9f6092bjerenkrantzsecurity.provider.6=sun.security.jgss.SunProvider
5e538c6ced13aa2f7c358e1a44f651d31dd5fab8brianpsecurity.provider.7=com.sun.security.sasl.Provider
5e538c6ced13aa2f7c358e1a44f651d31dd5fab8brianpsecurity.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
5e538c6ced13aa2f7c358e1a44f651d31dd5fab8brianpsecurity.provider.9=sun.security.smartcardio.SunPCSC
5e538c6ced13aa2f7c358e1a44f651d31dd5fab8brianpsecurity.provider.10=apple.security.AppleProvider
61202a45487668abad788c02e339f626176e645fianh
61202a45487668abad788c02e339f626176e645fianh#
61202a45487668abad788c02e339f626176e645fianh# Select the source of seed data for SecureRandom. By default an
02c49e1f35a4d1a171df2d319e76af0c5163dc4dmartin# attempt is made to use the entropy gathering device specified by
02c49e1f35a4d1a171df2d319e76af0c5163dc4dmartin# the securerandom.source property. If an exception occurs when
02c49e1f35a4d1a171df2d319e76af0c5163dc4dmartin# accessing the URL then the traditional system/thread activity
6deb8bcfb8511ac38243a8274fc589842841b398ianh# algorithm is used.
6deb8bcfb8511ac38243a8274fc589842841b398ianh#
6deb8bcfb8511ac38243a8274fc589842841b398ianh# On Solaris and Linux systems, if file:/dev/urandom is specified and it
49bbbd1939208be54a3eb00b95e61d90d180a606ianh# exists, a special SecureRandom implementation is activated by default.
49bbbd1939208be54a3eb00b95e61d90d180a606ianh# This "NativePRNG" reads random bytes directly from /dev/urandom.
93d7153aa172665f55b04463b831ad556269c3efbrianp#
93d7153aa172665f55b04463b831ad556269c3efbrianp# On Windows systems, the URLs file:/dev/random and file:/dev/urandom
93d7153aa172665f55b04463b831ad556269c3efbrianp# enables use of the Microsoft CryptoAPI seed functionality.
93d7153aa172665f55b04463b831ad556269c3efbrianp#
bc6600a6207e5d15b895294e370e4e3320a803d8stoddardsecurerandom.source=file:/dev/urandom
bc6600a6207e5d15b895294e370e4e3320a803d8stoddard#
bc6600a6207e5d15b895294e370e4e3320a803d8stoddard# The entropy gathering device is described as a URL and can also
bc6600a6207e5d15b895294e370e4e3320a803d8stoddard# be specified with the system property "java.security.egd". For example,
bc6600a6207e5d15b895294e370e4e3320a803d8stoddard# -Djava.security.egd=file:/dev/urandom
bc6600a6207e5d15b895294e370e4e3320a803d8stoddard# Specifying this system property will override the securerandom.source
bc6600a6207e5d15b895294e370e4e3320a803d8stoddard# setting.
4e21f1a207aefa9796dc758bf7274b0f1fea780fstoddard
7a23067e782dd5612d4d4b539906e1733b664df7jwoolley#
5c214a63f9722864ac4983995da11353779515dbrederpj# Class to instantiate as the javax.security.auth.login.Configuration
5c214a63f9722864ac4983995da11353779515dbrederpj# provider.
5c214a63f9722864ac4983995da11353779515dbrederpj#
5c214a63f9722864ac4983995da11353779515dbrederpjlogin.configuration.provider=com.sun.security.auth.login.ConfigFile
9f20717d827f2113a23dfa45539813171cf626eaianh
9f20717d827f2113a23dfa45539813171cf626eaianh#
9f20717d827f2113a23dfa45539813171cf626eaianh# Default login configuration file
9f20717d827f2113a23dfa45539813171cf626eaianh#
a0db2f093595083300ad3438314f90921405ccf9wrowe#login.config.url.1=file:${user.home}/.java.login.config
a0db2f093595083300ad3438314f90921405ccf9wrowe
a0db2f093595083300ad3438314f90921405ccf9wrowe#
c66798efb2184ecf904cd8471acd17e65688b1caianh# Class to instantiate as the system Policy. This is the name of the class
c66798efb2184ecf904cd8471acd17e65688b1caianh# that will be used as the Policy object.
fb59f85aab19883025f619727948b8088232cc4brederpj#
fb59f85aab19883025f619727948b8088232cc4brederpjpolicy.provider=sun.security.provider.PolicyFile
fb59f85aab19883025f619727948b8088232cc4brederpj
fb59f85aab19883025f619727948b8088232cc4brederpj# The default is to have a single system-wide policy file,
1a1cf0ee9229ee29e5750b25dd94dbb9b04072cfianh# and a policy file in the user's home directory.
1a1cf0ee9229ee29e5750b25dd94dbb9b04072cfianhpolicy.url.1=file:${java.home}/lib/security/java.policy
1a1cf0ee9229ee29e5750b25dd94dbb9b04072cfianhpolicy.url.2=file:${user.home}/.java.policy
1a1cf0ee9229ee29e5750b25dd94dbb9b04072cfianh
61afed048a4d67ed923d52e5c865c0f10a8e9e73trawick# whether or not we expand properties in the policy file
0bbb249eafe9ef9508821f0ef58e7440625ecd62trawick# if this is set to false, properties (${...}) will not be expanded in policy
0bbb249eafe9ef9508821f0ef58e7440625ecd62trawick# files.
61afed048a4d67ed923d52e5c865c0f10a8e9e73trawickpolicy.expandProperties=true
7a23067e782dd5612d4d4b539906e1733b664df7jwoolley
7a23067e782dd5612d4d4b539906e1733b664df7jwoolley# whether or not we allow an extra policy to be passed on the command line
7a23067e782dd5612d4d4b539906e1733b664df7jwoolley# with -Djava.security.policy=somefile. Comment out this line to disable
7a23067e782dd5612d4d4b539906e1733b664df7jwoolley# this feature.
6032a7c97a25c52f4bdd78ce23f2010e52c9e81arederpjpolicy.allowSystemProperty=true
6032a7c97a25c52f4bdd78ce23f2010e52c9e81arederpj
6032a7c97a25c52f4bdd78ce23f2010e52c9e81arederpj# whether or not we look into the IdentityScope for trusted Identities
ba2e14e474516f1c75a96b4f6d1a9dec332175efianh# when encountering a 1.1 signed JAR file. If the identity is found
ba2e14e474516f1c75a96b4f6d1a9dec332175efianh# and is trusted, we grant it AllPermission.
ec69fc6e323eb1f3112966e06e9e37be608d052cianhpolicy.ignoreIdentityScope=false
f0791c5bdfd36969d292a4092df076aa6d1c34ccwrowe
f0791c5bdfd36969d292a4092df076aa6d1c34ccwrowe#
f0791c5bdfd36969d292a4092df076aa6d1c34ccwrowe# Default keystore type.
f0791c5bdfd36969d292a4092df076aa6d1c34ccwrowe#
749011213737e8d0cd6ca78d5eb532ec6f6b9fdfianhkeystore.type=jks
749011213737e8d0cd6ca78d5eb532ec6f6b9fdfianh
749011213737e8d0cd6ca78d5eb532ec6f6b9fdfianh#
ec69fc6e323eb1f3112966e06e9e37be608d052cianh# List of comma-separated packages that start with or equal this string
ec69fc6e323eb1f3112966e06e9e37be608d052cianh# will cause a security exception to be thrown when
e7bf4d6f15d04e86e20002e65f60d7fbf80e5974stoddard# passed to checkPackageAccess unless the
e7bf4d6f15d04e86e20002e65f60d7fbf80e5974stoddard# corresponding RuntimePermission ("accessClassInPackage."+package) has
8ab933f1df663f95c27e2ce5772127d4f3a10e0bstriker# been granted.
de42d3dfd83a4cc62f0dd6b79ee5cbcfa69fd503brianppackage.access=sun.,\
de42d3dfd83a4cc62f0dd6b79ee5cbcfa69fd503brianp com.sun.corba.se.impl.,\
de42d3dfd83a4cc62f0dd6b79ee5cbcfa69fd503brianp com.sun.xml.internal.,\
de42d3dfd83a4cc62f0dd6b79ee5cbcfa69fd503brianp com.sun.imageio.,\
8ab933f1df663f95c27e2ce5772127d4f3a10e0bstriker com.sun.istack.internal.,\
a8dda281113c5038945423320d8c9b42e3d1ddb1jwoolley com.sun.jmx.,\
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianp com.sun.proxy.,\
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe com.sun.org.apache.bcel.internal.,\
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe com.sun.org.apache.regexp.internal.,\
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe com.sun.org.apache.xerces.internal.,\
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe com.sun.org.apache.xpath.internal.,\
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe com.sun.org.apache.xalan.internal.extensions.,\
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe com.sun.org.apache.xalan.internal.lib.,\
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe com.sun.org.apache.xalan.internal.res.,\
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe com.sun.org.apache.xalan.internal.templates.,\
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe com.sun.org.apache.xalan.internal.utils.,\
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe com.sun.org.apache.xalan.internal.xslt.,\
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe com.sun.org.apache.xalan.internal.xsltc.cmdline.,\
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe com.sun.org.apache.xalan.internal.xsltc.compiler.,\
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe com.sun.org.apache.xalan.internal.xsltc.trax.,\
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe com.sun.org.apache.xalan.internal.xsltc.util.,\
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe com.sun.org.apache.xml.internal.res.,\
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe com.sun.org.apache.xml.internal.serializer.utils.,\
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe com.sun.org.apache.xml.internal.utils.,\
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe com.sun.org.glassfish.,\
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe oracle.jrockit.jfr.,\
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe apple.
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe#
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe# List of comma-separated packages that start with or equal this string
39dde7f4cd79d701cc14e5beac8ea528bc58d038wrowe# will cause a security exception to be thrown when
268ac122b1fd6fa948b30bdf0d8c0d80e75d68dawrowe# passed to checkPackageDefinition unless the
268ac122b1fd6fa948b30bdf0d8c0d80e75d68dawrowe# corresponding RuntimePermission ("defineClassInPackage."+package) has
268ac122b1fd6fa948b30bdf0d8c0d80e75d68dawrowe# been granted.
268ac122b1fd6fa948b30bdf0d8c0d80e75d68dawrowe#
268ac122b1fd6fa948b30bdf0d8c0d80e75d68dawrowe# by default, none of the class loaders supplied with the JDK call
268ac122b1fd6fa948b30bdf0d8c0d80e75d68dawrowe# checkPackageDefinition.
6ba861fd6c705eaeb1f9bb97df86ddea6895e263minfrin#
6ba861fd6c705eaeb1f9bb97df86ddea6895e263minfrinpackage.definition=sun.,\
6ba861fd6c705eaeb1f9bb97df86ddea6895e263minfrin com.sun.corba.se.impl.,\
268ac122b1fd6fa948b30bdf0d8c0d80e75d68dawrowe com.sun.xml.internal.,\
b78ed256f4b99e72836d36fd68d4e7a26dbe032cianh com.sun.imageio.,\
b78ed256f4b99e72836d36fd68d4e7a26dbe032cianh com.sun.istack.internal.,\
b78ed256f4b99e72836d36fd68d4e7a26dbe032cianh com.sun.jmx.,\
698670444b30b79e808155739f98c39bec35f72awrowe com.sun.proxy.,\
e7ec1c54206901c9369e40f471b71836c78e017dwrowe com.sun.org.apache.bcel.internal.,\
698670444b30b79e808155739f98c39bec35f72awrowe com.sun.org.apache.regexp.internal.,\
57bea0f0559e31536af3b7b5859d3681ee29a34cwrowe com.sun.org.apache.xerces.internal.,\
57bea0f0559e31536af3b7b5859d3681ee29a34cwrowe com.sun.org.apache.xpath.internal.,\
57bea0f0559e31536af3b7b5859d3681ee29a34cwrowe com.sun.org.apache.xalan.internal.extensions.,\
57bea0f0559e31536af3b7b5859d3681ee29a34cwrowe com.sun.org.apache.xalan.internal.lib.,\
57bea0f0559e31536af3b7b5859d3681ee29a34cwrowe com.sun.org.apache.xalan.internal.res.,\
57bea0f0559e31536af3b7b5859d3681ee29a34cwrowe com.sun.org.apache.xalan.internal.templates.,\
94e2b2d12fa269af16fa63a6270d3336d9f126f2trawick com.sun.org.apache.xalan.internal.utils.,\
94e2b2d12fa269af16fa63a6270d3336d9f126f2trawick com.sun.org.apache.xalan.internal.xslt.,\
94e2b2d12fa269af16fa63a6270d3336d9f126f2trawick com.sun.org.apache.xalan.internal.xsltc.cmdline.,\
94e2b2d12fa269af16fa63a6270d3336d9f126f2trawick com.sun.org.apache.xalan.internal.xsltc.compiler.,\
35313c8d7368125c3e95d3118238d2be9a613000trawick com.sun.org.apache.xalan.internal.xsltc.trax.,\
35313c8d7368125c3e95d3118238d2be9a613000trawick com.sun.org.apache.xalan.internal.xsltc.util.,\
35313c8d7368125c3e95d3118238d2be9a613000trawick com.sun.org.apache.xml.internal.res.,\
55da18d54a0ba74dc51aecba5b0daf71a2ed10a7trawick com.sun.org.apache.xml.internal.serializer.utils.,\
55da18d54a0ba74dc51aecba5b0daf71a2ed10a7trawick com.sun.org.apache.xml.internal.utils.,\
55da18d54a0ba74dc51aecba5b0daf71a2ed10a7trawick com.sun.org.glassfish.,\
55da18d54a0ba74dc51aecba5b0daf71a2ed10a7trawick oracle.jrockit.jfr.,\
55da18d54a0ba74dc51aecba5b0daf71a2ed10a7trawick apple.
c51f2b89da23e3371959a74808dee1792d96f5c1wsanchez
c51f2b89da23e3371959a74808dee1792d96f5c1wsanchez#
c51f2b89da23e3371959a74808dee1792d96f5c1wsanchez# Determines whether this properties file can be appended to
c51f2b89da23e3371959a74808dee1792d96f5c1wsanchez# or overridden on the command line via -Djava.security.properties
c51f2b89da23e3371959a74808dee1792d96f5c1wsanchez#
79c9b0ac498d97336874edba0daf9f544ad14671trawicksecurity.overridePropertiesFile=true
79c9b0ac498d97336874edba0daf9f544ad14671trawick
79c9b0ac498d97336874edba0daf9f544ad14671trawick#
79c9b0ac498d97336874edba0daf9f544ad14671trawick# Determines the default key and trust manager factory algorithms for
79c9b0ac498d97336874edba0daf9f544ad14671trawick# the javax.net.ssl package.
5a7d934619b2be92e18be5dd3366f4ac6ddeab43trawick#
5a7d934619b2be92e18be5dd3366f4ac6ddeab43trawickssl.KeyManagerFactory.algorithm=SunX509
5a7d934619b2be92e18be5dd3366f4ac6ddeab43trawickssl.TrustManagerFactory.algorithm=PKIX
5a70e5b66eb7758d0e64e070211f699fc83fca70wrowe
5a70e5b66eb7758d0e64e070211f699fc83fca70wrowe#
5a70e5b66eb7758d0e64e070211f699fc83fca70wrowe# The Java-level namelookup cache policy for successful lookups:
5a70e5b66eb7758d0e64e070211f699fc83fca70wrowe#
5a70e5b66eb7758d0e64e070211f699fc83fca70wrowe# any negative value: caching forever
84eeb0ab12215fc22577a9a0a9589cea2a445712trawick# any positive value: the number of seconds to cache an address for
84eeb0ab12215fc22577a9a0a9589cea2a445712trawick# zero: do not cache
1d3fbd2d9f03c0826977d940a2081401edf522d4jerenkrantz#
1d3fbd2d9f03c0826977d940a2081401edf522d4jerenkrantz# default value is forever (FOREVER). For security reasons, this
b5cc0253789825ace46944dc9cde744be08dd77fjerenkrantz# caching is made forever when a security manager is set. When a security
b5cc0253789825ace46944dc9cde744be08dd77fjerenkrantz# manager is not set, the default behavior in this implementation
e4bb84f3c11f282d3ba66f64940b1b8e13f85e7aslive# is to cache for 30 seconds.
e4bb84f3c11f282d3ba66f64940b1b8e13f85e7aslive#
e4bb84f3c11f282d3ba66f64940b1b8e13f85e7aslive# NOTE: setting this to anything other than the default value can have
e4bb84f3c11f282d3ba66f64940b1b8e13f85e7aslive# serious security implications. Do not set it unless
e4bb84f3c11f282d3ba66f64940b1b8e13f85e7aslive# you are sure you are not exposed to DNS spoofing attack.
e4bb84f3c11f282d3ba66f64940b1b8e13f85e7aslive#
e4bb84f3c11f282d3ba66f64940b1b8e13f85e7aslive#networkaddress.cache.ttl=-1
ba2bab42e97405dc41c0f8fe3416f7f9a79ed7a9brianp
ba2bab42e97405dc41c0f8fe3416f7f9a79ed7a9brianp# The Java-level namelookup cache policy for failed lookups:
ba2bab42e97405dc41c0f8fe3416f7f9a79ed7a9brianp#
756b54396a86db555817bb52149d91b60d00e35fwrowe# any negative value: cache forever
756b54396a86db555817bb52149d91b60d00e35fwrowe# any positive value: the number of seconds to cache negative lookup results
756b54396a86db555817bb52149d91b60d00e35fwrowe# zero: do not cache
756b54396a86db555817bb52149d91b60d00e35fwrowe#
b4251d1fbef86f96e01c68f8de086e0dbb8bcb74trawick# In some Microsoft Windows networking environments that employ
b4251d1fbef86f96e01c68f8de086e0dbb8bcb74trawick# the WINS name service in addition to DNS, name service lookups
b4251d1fbef86f96e01c68f8de086e0dbb8bcb74trawick# that fail may take a noticeably long time to return (approx. 5 seconds).
24efed0910118b762a4eb84830875d4714b8d315ianh# For this reason the default caching policy is to maintain these
24efed0910118b762a4eb84830875d4714b8d315ianh# results for 10 seconds.
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianp#
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianp#
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianpnetworkaddress.cache.negative.ttl=10
bdbafc44d060509e86f0cc56ff4d19579438f846striker
bdbafc44d060509e86f0cc56ff4d19579438f846striker#
bdbafc44d060509e86f0cc56ff4d19579438f846striker# Properties to configure OCSP for certificate revocation checking
fbd0c3dbae333ba4a7225dad2d090419ad894e4ctrawick#
bdbafc44d060509e86f0cc56ff4d19579438f846striker
bdbafc44d060509e86f0cc56ff4d19579438f846striker# Enable OCSP
6a82dfd37385024d0e94e71edd2f46b609796cfdwrowe#
6d0ec39a3ef89ce485f23008efa399b7b35bf1fdjwoolley# By default, OCSP is not used for certificate revocation checking.
6d0ec39a3ef89ce485f23008efa399b7b35bf1fdjwoolley# This property enables the use of OCSP when set to the value "true".
6d0ec39a3ef89ce485f23008efa399b7b35bf1fdjwoolley#
6d0ec39a3ef89ce485f23008efa399b7b35bf1fdjwoolley# NOTE: SocketPermission is required to connect to an OCSP responder.
0fdf8c342123fde84405b885fb1720ebc652e10djerenkrantz#
0fdf8c342123fde84405b885fb1720ebc652e10djerenkrantz# Example,
0fdf8c342123fde84405b885fb1720ebc652e10djerenkrantz# ocsp.enable=true
0fdf8c342123fde84405b885fb1720ebc652e10djerenkrantz
0fdf8c342123fde84405b885fb1720ebc652e10djerenkrantz#
6b87b6eee6a43f40ef6bead9ef3173979b4cd76crbb# Location of the OCSP responder
6b87b6eee6a43f40ef6bead9ef3173979b4cd76crbb#
6b87b6eee6a43f40ef6bead9ef3173979b4cd76crbb# By default, the location of the OCSP responder is determined implicitly
6b87b6eee6a43f40ef6bead9ef3173979b4cd76crbb# from the certificate being validated. This property explicitly specifies
6b87b6eee6a43f40ef6bead9ef3173979b4cd76crbb# the location of the OCSP responder. The property is used when the
bfd2cedbf2918fcb95daa9f850ecdf5e24765c22jerenkrantz# Authority Information Access extension (defined in RFC 3280) is absent
bfd2cedbf2918fcb95daa9f850ecdf5e24765c22jerenkrantz# from the certificate or when it requires overriding.
bfd2cedbf2918fcb95daa9f850ecdf5e24765c22jerenkrantz#
f9a773d26994c3b267589e404cdb5b760f83e888jerenkrantz# Example,
f9a773d26994c3b267589e404cdb5b760f83e888jerenkrantz# ocsp.responderURL=http://ocsp.example.net:80
f9a773d26994c3b267589e404cdb5b760f83e888jerenkrantz
a250599aab6669d5877edf158032efd2538e5820trawick#
a250599aab6669d5877edf158032efd2538e5820trawick# Subject name of the OCSP responder's certificate
a250599aab6669d5877edf158032efd2538e5820trawick#
a250599aab6669d5877edf158032efd2538e5820trawick# By default, the certificate of the OCSP responder is that of the issuer
41338e6ead3fa8d60ad3841d069f4b47e71d9177wrowe# of the certificate being validated. This property identifies the certificate
41338e6ead3fa8d60ad3841d069f4b47e71d9177wrowe# of the OCSP responder when the default does not apply. Its value is a string
41338e6ead3fa8d60ad3841d069f4b47e71d9177wrowe# distinguished name (defined in RFC 2253) which identifies a certificate in
41338e6ead3fa8d60ad3841d069f4b47e71d9177wrowe# the set of certificates supplied during cert path validation. In cases where
92b0ffb9cbc04b3d9c7ce6becadc0c3d88dea2d9wrowe# the subject name alone is not sufficient to uniquely identify the certificate
92b0ffb9cbc04b3d9c7ce6becadc0c3d88dea2d9wrowe# then both the "ocsp.responderCertIssuerName" and
92b0ffb9cbc04b3d9c7ce6becadc0c3d88dea2d9wrowe# "ocsp.responderCertSerialNumber" properties must be used instead. When this
961ff00a8f1fe79a8ac8b18617b40a404e28cb35brianp# property is set then those two properties are ignored.
961ff00a8f1fe79a8ac8b18617b40a404e28cb35brianp#
961ff00a8f1fe79a8ac8b18617b40a404e28cb35brianp# Example,
92b0ffb9cbc04b3d9c7ce6becadc0c3d88dea2d9wrowe# ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
6a82dfd37385024d0e94e71edd2f46b609796cfdwrowe
6a82dfd37385024d0e94e71edd2f46b609796cfdwrowe#
6a82dfd37385024d0e94e71edd2f46b609796cfdwrowe# Issuer name of the OCSP responder's certificate
6a82dfd37385024d0e94e71edd2f46b609796cfdwrowe#
6a82dfd37385024d0e94e71edd2f46b609796cfdwrowe# By default, the certificate of the OCSP responder is that of the issuer
6a82dfd37385024d0e94e71edd2f46b609796cfdwrowe# of the certificate being validated. This property identifies the certificate
6a82dfd37385024d0e94e71edd2f46b609796cfdwrowe# of the OCSP responder when the default does not apply. Its value is a string
6a82dfd37385024d0e94e71edd2f46b609796cfdwrowe# distinguished name (defined in RFC 2253) which identifies a certificate in
c43fd8f8f90a7549bffe1e581eedbd087db1163estoddard# the set of certificates supplied during cert path validation. When this
c43fd8f8f90a7549bffe1e581eedbd087db1163estoddard# property is set then the "ocsp.responderCertSerialNumber" property must also
c43fd8f8f90a7549bffe1e581eedbd087db1163estoddard# be set. When the "ocsp.responderCertSubjectName" property is set then this
a8dda281113c5038945423320d8c9b42e3d1ddb1jwoolley# property is ignored.
854cc4d3451547c2359c27870a3c354ad385a49bianh#
854cc4d3451547c2359c27870a3c354ad385a49bianh# Example,
854cc4d3451547c2359c27870a3c354ad385a49bianh# ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
02ec77ed8e15b4b601de98a322e4bd8d7d3e1ec2trawick
02ec77ed8e15b4b601de98a322e4bd8d7d3e1ec2trawick#
02ec77ed8e15b4b601de98a322e4bd8d7d3e1ec2trawick# Serial number of the OCSP responder's certificate
49ada1eac7c4cae429ba193273b7f40f355d9c7ejwoolley#
49ada1eac7c4cae429ba193273b7f40f355d9c7ejwoolley# By default, the certificate of the OCSP responder is that of the issuer
49ada1eac7c4cae429ba193273b7f40f355d9c7ejwoolley# of the certificate being validated. This property identifies the certificate
88425bd3442321915195ac9dfa9a80ffcd968fa4brianp# of the OCSP responder when the default does not apply. Its value is a string
88425bd3442321915195ac9dfa9a80ffcd968fa4brianp# of hexadecimal digits (colon or space separators may be present) which
88425bd3442321915195ac9dfa9a80ffcd968fa4brianp# identifies a certificate in the set of certificates supplied during cert path
88425bd3442321915195ac9dfa9a80ffcd968fa4brianp# validation. When this property is set then the "ocsp.responderCertIssuerName"
a8dda281113c5038945423320d8c9b42e3d1ddb1jwoolley# property must also be set. When the "ocsp.responderCertSubjectName" property
a8dda281113c5038945423320d8c9b42e3d1ddb1jwoolley# is set then this property is ignored.
a8dda281113c5038945423320d8c9b42e3d1ddb1jwoolley#
a8dda281113c5038945423320d8c9b42e3d1ddb1jwoolley# Example,
37b8494ffaeb4ee9a9a2f9917d334078c16d4212jwoolley# ocsp.responderCertSerialNumber=2A:FF:00
37b8494ffaeb4ee9a9a2f9917d334078c16d4212jwoolley
bf3d1782a29630335a1df535eb395355ab1cd154jwoolley#
bf3d1782a29630335a1df535eb395355ab1cd154jwoolley# Policy for failed Kerberos KDC lookups:
37b8494ffaeb4ee9a9a2f9917d334078c16d4212jwoolley#
da16bea08c6ff10ceb8d250ff23e8e81a372cef8jwoolley# When a KDC is unavailable (network error, service failure, etc), it is
da16bea08c6ff10ceb8d250ff23e8e81a372cef8jwoolley# put inside a blacklist and accessed less often for future requests. The
99f692732327e0c200fd639105dbf9940bd229f1rbb# value (case-insensitive) for this policy can be:
99f692732327e0c200fd639105dbf9940bd229f1rbb#
99f692732327e0c200fd639105dbf9940bd229f1rbb# tryLast
80f73246cc14f02d50bfac5306c079464c2dd1c6rbb# KDCs in the blacklist are always tried after those not on the list.
80f73246cc14f02d50bfac5306c079464c2dd1c6rbb#
80f73246cc14f02d50bfac5306c079464c2dd1c6rbb# tryLess[:max_retries,timeout]
80f73246cc14f02d50bfac5306c079464c2dd1c6rbb# KDCs in the blacklist are still tried by their order in the configuration,
80f73246cc14f02d50bfac5306c079464c2dd1c6rbb# but with smaller max_retries and timeout values. max_retries and timeout
dcdc78fce34f06533df4829abbc726f7fbf207fejwoolley# are optional numerical parameters (default 1 and 5000, which means once
dcdc78fce34f06533df4829abbc726f7fbf207fejwoolley# and 5 seconds). Please notes that if any of the values defined here is
dcdc78fce34f06533df4829abbc726f7fbf207fejwoolley# more than what is defined in krb5.conf, it will be ignored.
d4a93d608a28bf331625544a2896fa20bef4a2b4rbb#
d4a93d608a28bf331625544a2896fa20bef4a2b4rbb# Whenever a KDC is detected as available, it is removed from the blacklist.
d4a93d608a28bf331625544a2896fa20bef4a2b4rbb# The blacklist is reset when krb5.conf is reloaded. You can add
d4a93d608a28bf331625544a2896fa20bef4a2b4rbb# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
d4a93d608a28bf331625544a2896fa20bef4a2b4rbb# reloaded whenever a JAAS authentication is attempted.
36fcd3d96b9bf9a2d4af424e64584b5dede3e3e6brianp#
36fcd3d96b9bf9a2d4af424e64584b5dede3e3e6brianp# Example,
36fcd3d96b9bf9a2d4af424e64584b5dede3e3e6brianp# krb5.kdc.bad.policy = tryLast
4b34d6a5b70303010612df6c87da3ee91ae86078rbb# krb5.kdc.bad.policy = tryLess:2,2000
4b34d6a5b70303010612df6c87da3ee91ae86078rbbkrb5.kdc.bad.policy = tryLast
4b34d6a5b70303010612df6c87da3ee91ae86078rbb
4b34d6a5b70303010612df6c87da3ee91ae86078rbb# Algorithm restrictions for certification path (CertPath) processing
4b34d6a5b70303010612df6c87da3ee91ae86078rbb#
4b34d6a5b70303010612df6c87da3ee91ae86078rbb# In some environments, certain algorithms or key lengths may be undesirable
4b34d6a5b70303010612df6c87da3ee91ae86078rbb# for certification path building and validation. For example, "MD2" is
44d971eef4337ad80ba3d360c84ffa8188d50325trawick# generally no longer considered to be a secure hash algorithm. This section
84bdb86d57d2a2f828b17e77ac2379fed551c2adtrawick# describes the mechanism for disabling algorithms based on algorithm name
84bdb86d57d2a2f828b17e77ac2379fed551c2adtrawick# and/or key length. This includes algorithms used in certificates, as well
84bdb86d57d2a2f828b17e77ac2379fed551c2adtrawick# as revocation information such as CRLs and signed OCSP Responses.
46603605c2edcc1cc84fa45634e19a395134078atrawick#
46603605c2edcc1cc84fa45634e19a395134078atrawick# The syntax of the disabled algorithm string is described as this Java
46603605c2edcc1cc84fa45634e19a395134078atrawick# BNF-style:
46603605c2edcc1cc84fa45634e19a395134078atrawick# DisabledAlgorithms:
46603605c2edcc1cc84fa45634e19a395134078atrawick# " DisabledAlgorithm { , DisabledAlgorithm } "
86826d685f83170ca07d56550db9f0c2922a916btrawick#
86826d685f83170ca07d56550db9f0c2922a916btrawick# DisabledAlgorithm:
86826d685f83170ca07d56550db9f0c2922a916btrawick# AlgorithmName [Constraint]
86826d685f83170ca07d56550db9f0c2922a916btrawick#
86826d685f83170ca07d56550db9f0c2922a916btrawick# AlgorithmName:
4f412c60e9c2af999619d11b236068a0e0e94944trawick# (see below)
4f412c60e9c2af999619d11b236068a0e0e94944trawick#
4f412c60e9c2af999619d11b236068a0e0e94944trawick# Constraint:
4f6effa17a5084085c9104b0bb97c2ba1622cfa6jerenkrantz# KeySizeConstraint
4f6effa17a5084085c9104b0bb97c2ba1622cfa6jerenkrantz#
4f6effa17a5084085c9104b0bb97c2ba1622cfa6jerenkrantz# KeySizeConstraint:
4f6effa17a5084085c9104b0bb97c2ba1622cfa6jerenkrantz# keySize Operator DecimalInteger
bfa5c37259833629155d486bb1571d39a57de64dbnicholes#
bfa5c37259833629155d486bb1571d39a57de64dbnicholes# Operator:
bfa5c37259833629155d486bb1571d39a57de64dbnicholes# <= | < | == | != | >= | >
a946a7e607c21cf6068e7380d7e81cc2bf027913trawick#
a946a7e607c21cf6068e7380d7e81cc2bf027913trawick# DecimalInteger:
da16bea08c6ff10ceb8d250ff23e8e81a372cef8jwoolley# DecimalDigits
c88a70518d7d0b5bccb22a68d446c2d6589790dcjwoolley#
c88a70518d7d0b5bccb22a68d446c2d6589790dcjwoolley# DecimalDigits:
e59e4b703b7e19c4b35030e4baac8a96a8d4b504dougm# DecimalDigit {DecimalDigit}
e59e4b703b7e19c4b35030e4baac8a96a8d4b504dougm#
e59e4b703b7e19c4b35030e4baac8a96a8d4b504dougm# DecimalDigit: one of
e59e4b703b7e19c4b35030e4baac8a96a8d4b504dougm# 1 2 3 4 5 6 7 8 9 0
5717c6b0b97a065a84fba32cebeee959a5fe4f15dougm#
5717c6b0b97a065a84fba32cebeee959a5fe4f15dougm# The "AlgorithmName" is the standard algorithm name of the disabled
5717c6b0b97a065a84fba32cebeee959a5fe4f15dougm# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
5717c6b0b97a065a84fba32cebeee959a5fe4f15dougm# Documentation" for information about Standard Algorithm Names. Matching
5717c6b0b97a065a84fba32cebeee959a5fe4f15dougm# is performed using a case-insensitive sub-element matching rule. (For
5717c6b0b97a065a84fba32cebeee959a5fe4f15dougm# example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
835836eaf9e2a23192a262307b08f626e50e2180trawick# "ECDSA" for signatures.) If the assertion "AlgorithmName" is a
835836eaf9e2a23192a262307b08f626e50e2180trawick# sub-element of the certificate algorithm name, the algorithm will be
835836eaf9e2a23192a262307b08f626e50e2180trawick# rejected during certification path building and validation. For example,
81dddb023f9dd43b350f782972c1f75a88a2d93ftrawick# the assertion algorithm name "DSA" will disable all certificate algorithms
81dddb023f9dd43b350f782972c1f75a88a2d93ftrawick# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
81dddb023f9dd43b350f782972c1f75a88a2d93ftrawick# will not disable algorithms related to "ECDSA".
9b9e0eca165f5f464e357bb2a9b8bbfc9621067cwrowe#
9b9e0eca165f5f464e357bb2a9b8bbfc9621067cwrowe# A "Constraint" provides further guidance for the algorithm being specified.
9b9e0eca165f5f464e357bb2a9b8bbfc9621067cwrowe# The "KeySizeConstraint" requires a key of a valid size range if the
9b9e0eca165f5f464e357bb2a9b8bbfc9621067cwrowe# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
9b9e0eca165f5f464e357bb2a9b8bbfc9621067cwrowe# key size specified in number of bits. For example, "RSA keySize <= 1024"
9b9e0eca165f5f464e357bb2a9b8bbfc9621067cwrowe# indicates that any RSA key with key size less than or equal to 1024 bits
b26781e595625911fc8fc8215133ad2285ed75d8jim# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
b26781e595625911fc8fc8215133ad2285ed75d8jim# that any RSA key with key size less than 1024 or greater than 2048 should
b26781e595625911fc8fc8215133ad2285ed75d8jim# be disabled. Note that the "KeySizeConstraint" only makes sense to key
5117466ef123b1efbc2feba168f37069ef6f230bianh# algorithms.
5117466ef123b1efbc2feba168f37069ef6f230bianh#
5117466ef123b1efbc2feba168f37069ef6f230bianh# Note: This property is currently used by Oracle's PKIX implementation. It
9c39f8fb982df4dbce5304e49385568e6d35bfa8trawick# is not guaranteed to be examined and used by other implementations.
9c39f8fb982df4dbce5304e49385568e6d35bfa8trawick#
9c39f8fb982df4dbce5304e49385568e6d35bfa8trawick# Example:
9c39f8fb982df4dbce5304e49385568e6d35bfa8trawick# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
bdd4aa13a97de79596cd19708f1516e8fa92700ewrowe#
bdd4aa13a97de79596cd19708f1516e8fa92700ewrowe#
bdd4aa13a97de79596cd19708f1516e8fa92700ewrowejdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
bdd4aa13a97de79596cd19708f1516e8fa92700ewrowe
bdd4aa13a97de79596cd19708f1516e8fa92700ewrowe# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
1d50c90ddb7e3d144ec8a2bd848ca1e7bbf8e534bnicholes# (SSL/TLS) processing
bdd4aa13a97de79596cd19708f1516e8fa92700ewrowe#
bdd4aa13a97de79596cd19708f1516e8fa92700ewrowe# In some environments, certain algorithms or key lengths may be undesirable
1d50c90ddb7e3d144ec8a2bd848ca1e7bbf8e534bnicholes# when using SSL/TLS. This section describes the mechanism for disabling
1d50c90ddb7e3d144ec8a2bd848ca1e7bbf8e534bnicholes# algorithms during SSL/TLS security parameters negotiation, including cipher
24e361af20a3107dc934b4895911ce6bcce0603ejwoolley# suites selection, peer authentication and key exchange mechanisms.
24e361af20a3107dc934b4895911ce6bcce0603ejwoolley#
24e361af20a3107dc934b4895911ce6bcce0603ejwoolley# For PKI-based peer authentication and key exchange mechanisms, this list
4657f9b12af4b123b80e15c73fa03c190e47a8bftrawick# of disabled algorithms will also be checked during certification path
4657f9b12af4b123b80e15c73fa03c190e47a8bftrawick# building and validation, including algorithms used in certificates, as
4657f9b12af4b123b80e15c73fa03c190e47a8bftrawick# well as revocation information such as CRLs and signed OCSP Responses.
4657f9b12af4b123b80e15c73fa03c190e47a8bftrawick# This is in addition to the jdk.certpath.disabledAlgorithms property above.
c36bac9a918f59b2dbf5dcd7d67b50c1da04c89drbb#
c36bac9a918f59b2dbf5dcd7d67b50c1da04c89drbb# See the specification of "jdk.certpath.disabledAlgorithms" for the
c36bac9a918f59b2dbf5dcd7d67b50c1da04c89drbb# syntax of the disabled algorithm string.
c36bac9a918f59b2dbf5dcd7d67b50c1da04c89drbb#
c36bac9a918f59b2dbf5dcd7d67b50c1da04c89drbb# Note: This property is currently used by Oracle's JSSE implementation.
c36bac9a918f59b2dbf5dcd7d67b50c1da04c89drbb# It is not guaranteed to be examined and used by other implementations.
ad668861e40da485f2eea24dc4c1f9940e470698rbb#
ad668861e40da485f2eea24dc4c1f9940e470698rbb# Example:
ad668861e40da485f2eea24dc4c1f9940e470698rbb# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
ad668861e40da485f2eea24dc4c1f9940e470698rbb
89211a5d592cdf0170d2b541946661b1a2a279c5trawick