java.security-solaris revision 3006
f743002678eb67b99bbc29fee116b65d9530fec0wrowe#
80833bb9a1bf25dcf19e814438a4b311d2e1f4cffuankg# This is the "master security properties file".
a34684a59b60a4173c25035d0c627ef17e6dc215rpluem#
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic# In this file, various security properties are set for use by
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic# java.security classes. This is where users can statically register
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic# Cryptography Package Providers ("providers" for short). The term
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic# "provider" refers to a package or set of packages that supply a
4da61833a1cbbca94094f9653fd970582b97a72etrawick# concrete implementation of a subset of the cryptography aspects of
4da61833a1cbbca94094f9653fd970582b97a72etrawick# the Java Security API. A provider may, for example, implement one or
4da61833a1cbbca94094f9653fd970582b97a72etrawick# more digital signature algorithms or message digest algorithms.
4da61833a1cbbca94094f9653fd970582b97a72etrawick#
4da61833a1cbbca94094f9653fd970582b97a72etrawick# Each provider must implement a subclass of the Provider class.
4789804be088bcd86ae637a29cdb7fda25169521jailletc# To register a provider in this master security properties file,
4789804be088bcd86ae637a29cdb7fda25169521jailletc# specify the Provider subclass name and priority in the format
4789804be088bcd86ae637a29cdb7fda25169521jailletc#
4789804be088bcd86ae637a29cdb7fda25169521jailletc# security.provider.<n>=<className>
e50c3026198fd496f183cda4c32a202925476778covener#
e50c3026198fd496f183cda4c32a202925476778covener# This declares a provider, and specifies its preference
e50c3026198fd496f183cda4c32a202925476778covener# order n. The preference order is the order in which providers are
5b88c8507d5ef6d0c4cfbc78230294968175b638minfrin# searched for requested algorithms (when no specific provider is
5b88c8507d5ef6d0c4cfbc78230294968175b638minfrin# requested). The order is 1-based; 1 is the most preferred, followed
6c3b9cebb551140fbb25d58bae08b539b3802133ylavic# by 2, and so on.
6c3b9cebb551140fbb25d58bae08b539b3802133ylavic#
6c3b9cebb551140fbb25d58bae08b539b3802133ylavic# <className> must specify the subclass of the Provider class whose
4f29b65ab4b547ad5dbe506e2d0ff5d12ead9247ylavic# constructor sets the values of various properties that are required
4f29b65ab4b547ad5dbe506e2d0ff5d12ead9247ylavic# for the Java Security API to look up the algorithms or other
0a0df13b7f1f4f1a74fe295253d89ca3911b301aylavic# facilities implemented by the provider.
0a0df13b7f1f4f1a74fe295253d89ca3911b301aylavic#
0a0df13b7f1f4f1a74fe295253d89ca3911b301aylavic# There must be at least one provider specification in java.security.
0a0df13b7f1f4f1a74fe295253d89ca3911b301aylavic# There is a default provider that comes standard with the JDK. It
69301145375a889e7e37caf7cc7321ac0f91801erpluem# is called the "SUN" provider, and its Provider subclass
69301145375a889e7e37caf7cc7321ac0f91801erpluem# named Sun appears in the sun.security.provider package. Thus, the
69301145375a889e7e37caf7cc7321ac0f91801erpluem# "SUN" provider is registered via the following:
506bfe33206b2fece40ef25f695af39dd4130facjkaluza#
506bfe33206b2fece40ef25f695af39dd4130facjkaluza# security.provider.1=sun.security.provider.Sun
506bfe33206b2fece40ef25f695af39dd4130facjkaluza#
506bfe33206b2fece40ef25f695af39dd4130facjkaluza# (The number 1 is used for the default provider.)
d58a848a016d401b965111e50ef829e1641f7834minfrin#
d58a848a016d401b965111e50ef829e1641f7834minfrin# Note: Providers can be dynamically registered instead by calls to
d58a848a016d401b965111e50ef829e1641f7834minfrin# either the addProvider or insertProviderAt method in the Security
2e6f4d654c96c98b761fb012fd25c5d5b1558c44sf# class.
2e6f4d654c96c98b761fb012fd25c5d5b1558c44sf
2e6f4d654c96c98b761fb012fd25c5d5b1558c44sf#
17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavic# List of providers and their preference orders (see above):
17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavic#
17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavicsecurity.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/sunpkcs11-solaris.cfg
17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavicsecurity.provider.2=sun.security.provider.Sun
17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavicsecurity.provider.3=sun.security.rsa.SunRsaSign
e8bd80a4bb88199d2f9a24a50345688e52d9c116ylavicsecurity.provider.4=sun.security.ec.SunEC
e8bd80a4bb88199d2f9a24a50345688e52d9c116ylavicsecurity.provider.5=com.sun.net.ssl.internal.ssl.Provider
e8bd80a4bb88199d2f9a24a50345688e52d9c116ylavicsecurity.provider.6=com.sun.crypto.provider.SunJCE
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavicsecurity.provider.7=sun.security.jgss.SunProvider
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavicsecurity.provider.8=com.sun.security.sasl.Provider
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavicsecurity.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavicsecurity.provider.10=sun.security.smartcardio.SunPCSC
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic#
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic# Select the source of seed data for SecureRandom. By default an
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener# attempt is made to use the entropy gathering device specified by
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener# the securerandom.source property. If an exception occurs when
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener# accessing the URL then the traditional system/thread activity
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener# algorithm is used.
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener#
44ff304057225e944e220e981d434a046d14cf06covener# On Solaris and Linux systems, if file:/dev/urandom is specified and it
44ff304057225e944e220e981d434a046d14cf06covener# exists, a special SecureRandom implementation is activated by default.
44ff304057225e944e220e981d434a046d14cf06covener# This "NativePRNG" reads random bytes directly from /dev/urandom.
44ff304057225e944e220e981d434a046d14cf06covener#
5d1ba75b8794925e67591c209085a49279791de9covener# On Windows systems, the URLs file:/dev/random and file:/dev/urandom
5d1ba75b8794925e67591c209085a49279791de9covener# enables use of the Microsoft CryptoAPI seed functionality.
5d1ba75b8794925e67591c209085a49279791de9covener#
032982212dbcc7c3cce95bf89c503bb56e185ac7kbrandsecurerandom.source=file:/dev/urandom
032982212dbcc7c3cce95bf89c503bb56e185ac7kbrand#
032982212dbcc7c3cce95bf89c503bb56e185ac7kbrand# The entropy gathering device is described as a URL and can also
032982212dbcc7c3cce95bf89c503bb56e185ac7kbrand# be specified with the system property "java.security.egd". For example,
caad2986f81ab263f7af41467dd622dc9add17f3ylavic# -Djava.security.egd=file:/dev/urandom
caad2986f81ab263f7af41467dd622dc9add17f3ylavic# Specifying this system property will override the securerandom.source
caad2986f81ab263f7af41467dd622dc9add17f3ylavic# setting.
caad2986f81ab263f7af41467dd622dc9add17f3ylavic
45a10d38e6051fd7bdf9d742aaae633d97ff02abjailletc#
f7317ff316c2b141feea31bddb74d5d3fa1584edjorton# Class to instantiate as the javax.security.auth.login.Configuration
f7317ff316c2b141feea31bddb74d5d3fa1584edjorton# provider.
2165214331e4afafca4048f66f303d0253d7b001covener#
a34684a59b60a4173c25035d0c627ef17e6dc215rpluemlogin.configuration.provider=com.sun.security.auth.login.ConfigFile
a34684a59b60a4173c25035d0c627ef17e6dc215rpluem
1e2d421a36999d292042a5539971070d54aa6c63ylavic#
1e2d421a36999d292042a5539971070d54aa6c63ylavic# Default login configuration file
1e2d421a36999d292042a5539971070d54aa6c63ylavic#
fa7ed98b9dc94c5845cf845aea0a44ecacd290c9humbedooh#login.config.url.1=file:${user.home}/.java.login.config
fa7ed98b9dc94c5845cf845aea0a44ecacd290c9humbedooh
fa7ed98b9dc94c5845cf845aea0a44ecacd290c9humbedooh#
0b67eb8568cd58bb77082703951679b42cf098actrawick# Class to instantiate as the system Policy. This is the name of the class
0b67eb8568cd58bb77082703951679b42cf098actrawick# that will be used as the Policy object.
0b67eb8568cd58bb77082703951679b42cf098actrawick#
0b67eb8568cd58bb77082703951679b42cf098actrawickpolicy.provider=sun.security.provider.PolicyFile
5ef3c61605a3a021ff71f488983cb0065f8e1a79covener
fb1985a97912b25ec6564c73e610a31e5fc6e25fcovener# The default is to have a single system-wide policy file,
09c87c777bed1655621bb20e1c46cb6b1a63279dcovener# and a policy file in the user's home directory.
6502b7b32f980cc2093bb3ebce37e5e4dc68fba4ylavicpolicy.url.1=file:${java.home}/lib/security/java.policy
6502b7b32f980cc2093bb3ebce37e5e4dc68fba4ylavicpolicy.url.2=file:${user.home}/.java.policy
3060ce7f798fbda7999cd4ddf89b525d2b294185covener
c1a63b8fad09c419c1a64f75993feb8a343a6801ylavic# whether or not we expand properties in the policy file
c1a63b8fad09c419c1a64f75993feb8a343a6801ylavic# if this is set to false, properties (${...}) will not be expanded in policy
c1a63b8fad09c419c1a64f75993feb8a343a6801ylavic# files.
e6b4bd1113567627ab6bb6c6a7105e1e01a7d889jailletcpolicy.expandProperties=true
e6b4bd1113567627ab6bb6c6a7105e1e01a7d889jailletc
e466c40e1801982602ee0200c9e8b61cc148742djailletc# whether or not we allow an extra policy to be passed on the command line
e466c40e1801982602ee0200c9e8b61cc148742djailletc# with -Djava.security.policy=somefile. Comment out this line to disable
457468b82e59d01eba00dd9d0817309c8f5e414ejim# this feature.
457468b82e59d01eba00dd9d0817309c8f5e414ejimpolicy.allowSystemProperty=true
457468b82e59d01eba00dd9d0817309c8f5e414ejim
04983e3bd1754764eec7d6bb772fe3b0bf391771jorton# whether or not we look into the IdentityScope for trusted Identities
04983e3bd1754764eec7d6bb772fe3b0bf391771jorton# when encountering a 1.1 signed JAR file. If the identity is found
15890c9306ba98f6fc243e15a3c4778ddc7d773erpluem# and is trusted, we grant it AllPermission.
15660979a30d251681463de2e0584853890082accovenerpolicy.ignoreIdentityScope=false
15660979a30d251681463de2e0584853890082accovener
49dacedb6c387b786b7911082ff35121a45f414bcovener#
49dacedb6c387b786b7911082ff35121a45f414bcovener# Default keystore type.
cfd9415521847b2f9394fad04fb701cfb955f503rjung#
cfd9415521847b2f9394fad04fb701cfb955f503rjungkeystore.type=jks
cfd9415521847b2f9394fad04fb701cfb955f503rjung
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe#
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe# List of comma-separated packages that start with or equal this string
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe# will cause a security exception to be thrown when
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe# passed to checkPackageAccess unless the
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe# corresponding RuntimePermission ("accessClassInPackage."+package) has
8491e0600f69b0405e156ea8a419653c065c645bcovener# been granted.
63b9f1f5880391261705f696d7d65507bbe9ace3covenerpackage.access=sun.,com.sun.imageio.
63b9f1f5880391261705f696d7d65507bbe9ace3covener
63b9f1f5880391261705f696d7d65507bbe9ace3covener#
49dacedb6c387b786b7911082ff35121a45f414bcovener# List of comma-separated packages that start with or equal this string
49dacedb6c387b786b7911082ff35121a45f414bcovener# will cause a security exception to be thrown when
49dacedb6c387b786b7911082ff35121a45f414bcovener# passed to checkPackageDefinition unless the
49dacedb6c387b786b7911082ff35121a45f414bcovener# corresponding RuntimePermission ("defineClassInPackage."+package) has
3c990331fc6702119e4f5b8ba9eae3021aea5265jim# been granted.
3c990331fc6702119e4f5b8ba9eae3021aea5265jim#
3c990331fc6702119e4f5b8ba9eae3021aea5265jim# by default, no packages are restricted for definition, and none of
3c990331fc6702119e4f5b8ba9eae3021aea5265jim# the class loaders supplied with the JDK call checkPackageDefinition.
fc42512879dd0504532f52fe5d0d0383dda96a1eniq#
fc42512879dd0504532f52fe5d0d0383dda96a1eniq#package.definition=
fc42512879dd0504532f52fe5d0d0383dda96a1eniq
0451df5dc50fa5d8b3e07d92ee6a92e36a1181a5niq#
0451df5dc50fa5d8b3e07d92ee6a92e36a1181a5niq# Determines whether this properties file can be appended to
0451df5dc50fa5d8b3e07d92ee6a92e36a1181a5niq# or overridden on the command line via -Djava.security.properties
da0442c0440caef34706e2c2f3af05cb65921cc0jailletc#
983528026996668ea295be95aedb9c7a346af470ylavicsecurity.overridePropertiesFile=true
da0442c0440caef34706e2c2f3af05cb65921cc0jailletc
da0442c0440caef34706e2c2f3af05cb65921cc0jailletc#
06b8f183140c8e02e0974e938a05078b511d1603covener# Determines the default key and trust manager factory algorithms for
06b8f183140c8e02e0974e938a05078b511d1603covener# the javax.net.ssl package.
06b8f183140c8e02e0974e938a05078b511d1603covener#
15890c9306ba98f6fc243e15a3c4778ddc7d773erpluemssl.KeyManagerFactory.algorithm=SunX509
259878293a997ff49f5ddfc53d3739cbdc25444ecovenerssl.TrustManagerFactory.algorithm=PKIX
259878293a997ff49f5ddfc53d3739cbdc25444ecovener
259878293a997ff49f5ddfc53d3739cbdc25444ecovener#
259878293a997ff49f5ddfc53d3739cbdc25444ecovener# The Java-level namelookup cache policy for successful lookups:
15890c9306ba98f6fc243e15a3c4778ddc7d773erpluem#
b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrin# any negative value: caching forever
b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrin# any positive value: the number of seconds to cache an address for
b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrin# zero: do not cache
65967d05f839dbf27cf91d91fa79585eeae19660minfrin#
65967d05f839dbf27cf91d91fa79585eeae19660minfrin# default value is forever (FOREVER). For security reasons, this
65967d05f839dbf27cf91d91fa79585eeae19660minfrin# caching is made forever when a security manager is set. When a security
65967d05f839dbf27cf91d91fa79585eeae19660minfrin# manager is not set, the default behavior in this implementation
8152945ae46857b170cb227e79bb799f4fc7710dminfrin# is to cache for 30 seconds.
8152945ae46857b170cb227e79bb799f4fc7710dminfrin#
8152945ae46857b170cb227e79bb799f4fc7710dminfrin# NOTE: setting this to anything other than the default value can have
8152945ae46857b170cb227e79bb799f4fc7710dminfrin# serious security implications. Do not set it unless
75f5c2db254c0167a0e396254460de09b775d203trawick# you are sure you are not exposed to DNS spoofing attack.
75f5c2db254c0167a0e396254460de09b775d203trawick#
75f5c2db254c0167a0e396254460de09b775d203trawick#networkaddress.cache.ttl=-1
4f0358189bfa57b8e75bd6b94db264302a8f336amrumph
4f0358189bfa57b8e75bd6b94db264302a8f336amrumph# The Java-level namelookup cache policy for failed lookups:
4f0358189bfa57b8e75bd6b94db264302a8f336amrumph#
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick# any negative value: cache forever
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick# any positive value: the number of seconds to cache negative lookup results
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick# zero: do not cache
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick#
54d750a84a175d8e338880514d440773eb986b50covener# In some Microsoft Windows networking environments that employ
54d750a84a175d8e338880514d440773eb986b50covener# the WINS name service in addition to DNS, name service lookups
54d750a84a175d8e338880514d440773eb986b50covener# that fail may take a noticeably long time to return (approx. 5 seconds).
54d750a84a175d8e338880514d440773eb986b50covener# For this reason the default caching policy is to maintain these
54d750a84a175d8e338880514d440773eb986b50covener# results for 10 seconds.
54d750a84a175d8e338880514d440773eb986b50covener#
54d750a84a175d8e338880514d440773eb986b50covener#
54d750a84a175d8e338880514d440773eb986b50covenernetworkaddress.cache.negative.ttl=10
7a3aa12f0eda24793ee26d6a179bd53132e9dae8covener
54d750a84a175d8e338880514d440773eb986b50covener#
54d750a84a175d8e338880514d440773eb986b50covener# Properties to configure OCSP for certificate revocation checking
83b50288fa7d306324bba68832011ea08f5c7832covener#
4e30ef014533a7e93c92d88306291f5e49c9692ftrawick
83b50288fa7d306324bba68832011ea08f5c7832covener# Enable OCSP
5f066f496cd9f20a2a701255bc67d44e7cb46daetrawick#
5f066f496cd9f20a2a701255bc67d44e7cb46daetrawick# By default, OCSP is not used for certificate revocation checking.
5f066f496cd9f20a2a701255bc67d44e7cb46daetrawick# This property enables the use of OCSP when set to the value "true".
2e15620d724fb8e3a5be183b917359a2fd6e9468covener#
2e15620d724fb8e3a5be183b917359a2fd6e9468covener# NOTE: SocketPermission is required to connect to an OCSP responder.
2e15620d724fb8e3a5be183b917359a2fd6e9468covener#
2e15620d724fb8e3a5be183b917359a2fd6e9468covener# Example,
1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener# ocsp.enable=true
1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener
1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener#
1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener# Location of the OCSP responder
b8efdc95bec9cf089aa1be0bfd07d46aa1137a7acovener#
b8efdc95bec9cf089aa1be0bfd07d46aa1137a7acovener# By default, the location of the OCSP responder is determined implicitly
b8efdc95bec9cf089aa1be0bfd07d46aa1137a7acovener# from the certificate being validated. This property explicitly specifies
f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd# the location of the OCSP responder. The property is used when the
f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd# Authority Information Access extension (defined in RFC 3280) is absent
f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd# from the certificate or when it requires overriding.
179565be4043d7e5f9161aa75271fa0a001866d9covener#
179565be4043d7e5f9161aa75271fa0a001866d9covener# Example,
179565be4043d7e5f9161aa75271fa0a001866d9covener# ocsp.responderURL=http://ocsp.example.net:80
111436a32ba1254291e4883292fb116d15fe8f64covener
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener#
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener# Subject name of the OCSP responder's certificate
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener#
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener# By default, the certificate of the OCSP responder is that of the issuer
7b7430e701e9a31ce809da7c220bb8dfcf68c86etrawick# of the certificate being validated. This property identifies the certificate
7b7430e701e9a31ce809da7c220bb8dfcf68c86etrawick# of the OCSP responder when the default does not apply. Its value is a string
7b7430e701e9a31ce809da7c220bb8dfcf68c86etrawick# distinguished name (defined in RFC 2253) which identifies a certificate in
ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz# the set of certificates supplied during cert path validation. In cases where
ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz# the subject name alone is not sufficient to uniquely identify the certificate
ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz# then both the "ocsp.responderCertIssuerName" and
273e512f20f262e5e2aa8e0e83371d1929fb76adjkaluza# "ocsp.responderCertSerialNumber" properties must be used instead. When this
273e512f20f262e5e2aa8e0e83371d1929fb76adjkaluza# property is set then those two properties are ignored.
273e512f20f262e5e2aa8e0e83371d1929fb76adjkaluza#
efe780dcf13b2b95effabf897d694d8f23feac74trawick# Example,
fe83f60b41477b14a37edcfcd1f7f5c5a1ebfe44minfrin# ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
fe83f60b41477b14a37edcfcd1f7f5c5a1ebfe44minfrin
fe83f60b41477b14a37edcfcd1f7f5c5a1ebfe44minfrin#
993d1261a278d7322bccef219101220b7b4fb8c5jkaluza# Issuer name of the OCSP responder's certificate
993d1261a278d7322bccef219101220b7b4fb8c5jkaluza#
993d1261a278d7322bccef219101220b7b4fb8c5jkaluza# By default, the certificate of the OCSP responder is that of the issuer
ba050a6f942b9fa0e81ed73437588005c569655ccovener# of the certificate being validated. This property identifies the certificate
ba050a6f942b9fa0e81ed73437588005c569655ccovener# of the OCSP responder when the default does not apply. Its value is a string
ba050a6f942b9fa0e81ed73437588005c569655ccovener# distinguished name (defined in RFC 2253) which identifies a certificate in
ba050a6f942b9fa0e81ed73437588005c569655ccovener# the set of certificates supplied during cert path validation. When this
135ddda3a989215d2bedbcf1529bfb269c3eda23niq# property is set then the "ocsp.responderCertSerialNumber" property must also
135ddda3a989215d2bedbcf1529bfb269c3eda23niq# be set. When the "ocsp.responderCertSubjectName" property is set then this
135ddda3a989215d2bedbcf1529bfb269c3eda23niq# property is ignored.
001a44c352f89c9ec332ffd3e0a6927dcd19432chumbedooh#
001a44c352f89c9ec332ffd3e0a6927dcd19432chumbedooh# Example,
001a44c352f89c9ec332ffd3e0a6927dcd19432chumbedooh# ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
efe780dcf13b2b95effabf897d694d8f23feac74trawick
793214f67dede32edfd9ee96c664ead04d175cbbjfclere#
cc5a4a08dc9783fcbc52ce86f11e01c281a43810minfrin# Serial number of the OCSP responder's certificate
9b0076ddd1103e5fa9c1f9bafde4b06ce244fbaecovener#
9b0076ddd1103e5fa9c1f9bafde4b06ce244fbaecovener# By default, the certificate of the OCSP responder is that of the issuer
9b0076ddd1103e5fa9c1f9bafde4b06ce244fbaecovener# of the certificate being validated. This property identifies the certificate
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza# of the OCSP responder when the default does not apply. Its value is a string
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza# of hexadecimal digits (colon or space separators may be present) which
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza# identifies a certificate in the set of certificates supplied during cert path
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza# validation. When this property is set then the "ocsp.responderCertIssuerName"
56589be3d7a3e9343370df240010c6928cc78b39jkaluza# property must also be set. When the "ocsp.responderCertSubjectName" property
56589be3d7a3e9343370df240010c6928cc78b39jkaluza# is set then this property is ignored.
56589be3d7a3e9343370df240010c6928cc78b39jkaluza#
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc# Example,
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc# ocsp.responderCertSerialNumber=2A:FF:00
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc#
f87299dab99bc04b51a6b8cad51b6795db862c0atrawick# Policy for failed Kerberos KDC lookups:
f87299dab99bc04b51a6b8cad51b6795db862c0atrawick#
f87299dab99bc04b51a6b8cad51b6795db862c0atrawick# When a KDC is unavailable (network error, service failure, etc), it is
4d12805e6c18253040223ea637acd6b3b3c18f60jorton# put inside a blacklist and accessed less often for future requests. The
4d12805e6c18253040223ea637acd6b3b3c18f60jorton# value (case-insensitive) for this policy can be:
4d12805e6c18253040223ea637acd6b3b3c18f60jorton#
85eacfc96a04547ef25aabbc06440039715084c2jorton# tryLast
85eacfc96a04547ef25aabbc06440039715084c2jorton# KDCs in the blacklist are always tried after those not on the list.
e5d909f2b06bd880fb3675cd49363df981caa631trawick#
a4df2cd1e1391575a327c2a90ba4315f805a0a78covener# tryLess[:max_retries,timeout]
a4df2cd1e1391575a327c2a90ba4315f805a0a78covener# KDCs in the blacklist are still tried by their order in the configuration,
a4df2cd1e1391575a327c2a90ba4315f805a0a78covener# but with smaller max_retries and timeout values. max_retries and timeout
cb666b29f81df1d11d65002250153353568021fccovener# are optional numerical parameters (default 1 and 5000, which means once
cb666b29f81df1d11d65002250153353568021fccovener# and 5 seconds). Please notes that if any of the values defined here is
cb666b29f81df1d11d65002250153353568021fccovener# more than what is defined in krb5.conf, it will be ignored.
6a80c3c6f4b8ea7ba5e89402b8b779b09ce020e0covener#
1c2cab00d988fc48cbe59032cf76cc0bab20d6f7covener# Whenever a KDC is detected as available, it is removed from the blacklist.
6a80c3c6f4b8ea7ba5e89402b8b779b09ce020e0covener# The blacklist is reset when krb5.conf is reloaded. You can add
75a230a728338d84dcfe81edd375352f34de22d0covener# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
75a230a728338d84dcfe81edd375352f34de22d0covener# reloaded whenever a JAAS authentication is attempted.
75a230a728338d84dcfe81edd375352f34de22d0covener#
1f50dc34ae069adeed20b2986e5ffdefa5c410e0covener# Example,
1f50dc34ae069adeed20b2986e5ffdefa5c410e0covener# krb5.kdc.bad.policy = tryLast
1f50dc34ae069adeed20b2986e5ffdefa5c410e0covener# krb5.kdc.bad.policy = tryLess:2,2000
63a5ea80bddcc84a462e40f402b4f330e0e05411covenerkrb5.kdc.bad.policy = tryLast
63a5ea80bddcc84a462e40f402b4f330e0e05411covener
63a5ea80bddcc84a462e40f402b4f330e0e05411covener# Algorithm restrictions for certification path (CertPath) processing
63a5ea80bddcc84a462e40f402b4f330e0e05411covener#
65a4e663b82f8bce28ac22ab2edfd7502de36998sf# In some environments, certain algorithms or key lengths may be undesirable
65a4e663b82f8bce28ac22ab2edfd7502de36998sf# for certification path building and validation. For example, "MD2" is
65a4e663b82f8bce28ac22ab2edfd7502de36998sf# generally no longer considered to be a secure hash algorithm. This section
65a4e663b82f8bce28ac22ab2edfd7502de36998sf# describes the mechanism for disabling algorithms based on algorithm name
c7de1955eb0eaeabf7042902476397692672d549sf# and/or key length. This includes algorithms used in certificates, as well
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin# as revocation information such as CRLs and signed OCSP Responses.
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin#
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin# The syntax of the disabled algorithm string is described as this Java
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin# BNF-style:
a511a29faf2ff7ead3b67680154a624effb31aafminfrin# DisabledAlgorithms:
a511a29faf2ff7ead3b67680154a624effb31aafminfrin# " DisabledAlgorithm { , DisabledAlgorithm } "
a511a29faf2ff7ead3b67680154a624effb31aafminfrin#
a511a29faf2ff7ead3b67680154a624effb31aafminfrin# DisabledAlgorithm:
a511a29faf2ff7ead3b67680154a624effb31aafminfrin# AlgorithmName [Constraint]
63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin#
63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin# AlgorithmName:
63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin# (see below)
deec48c67d4786bc77112ffbf3a4e70b931097edminfrin#
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin# Constraint:
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin# KeySizeConstraint
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin#
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin# KeySizeConstraint:
684e0cfc200f66287a93bbd1708d1dd8a92a7eefcovener# keySize Operator DecimalInteger
684e0cfc200f66287a93bbd1708d1dd8a92a7eefcovener#
5c43d2fb853f84497b5ece2d414ef9484aa87e5fsf# Operator:
05a5a9c3e16f21566e1b61f4bd68025ce1b741ccjoes# <= | < | == | != | >= | >
05a5a9c3e16f21566e1b61f4bd68025ce1b741ccjoes#
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq# DecimalInteger:
26c5829347f6a355c00f1ba0301d575056b69536niq# DecimalDigits
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq#
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq# DecimalDigits:
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq# DecimalDigit {DecimalDigit}
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq#
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq# DecimalDigit: one of
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq# 1 2 3 4 5 6 7 8 9 0
413ee814748f37be168ff12407fa6dba0ceeabe6trawick#
c12917da693bae4028a1d5a5e8224bceed8c739dsf# The "AlgorithmName" is the standard algorithm name of the disabled
c12917da693bae4028a1d5a5e8224bceed8c739dsf# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf# Documentation" for information about Standard Algorithm Names. Matching
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf# is performed using a case-insensitive sub-element matching rule. (For
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf# example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf# "ECDSA" for signatures.) If the assertion "AlgorithmName" is a
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf# sub-element of the certificate algorithm name, the algorithm will be
d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf# rejected during certification path building and validation. For example,
d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf# the assertion algorithm name "DSA" will disable all certificate algorithms
d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
4576c1a9ef54cd1e5555ee07d016a7f559f80338sf# will not disable algorithms related to "ECDSA".
4576c1a9ef54cd1e5555ee07d016a7f559f80338sf#
4576c1a9ef54cd1e5555ee07d016a7f559f80338sf# A "Constraint" provides further guidance for the algorithm being specified.
9811aed12bbc71783d2e544ccb5fecd193843eadsf# The "KeySizeConstraint" requires a key of a valid size range if the
9811aed12bbc71783d2e544ccb5fecd193843eadsf# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
9811aed12bbc71783d2e544ccb5fecd193843eadsf# key size specified in number of bits. For example, "RSA keySize <= 1024"
88fac54d9d64f85bbdab5d7010816f4377f95bd7rjung# indicates that any RSA key with key size less than or equal to 1024 bits
88fac54d9d64f85bbdab5d7010816f4377f95bd7rjung# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
bd3f5647b96d378d9c75c954e3f13582af32c643sf# that any RSA key with key size less than 1024 or greater than 2048 should
bd3f5647b96d378d9c75c954e3f13582af32c643sf# be disabled. Note that the "KeySizeConstraint" only makes sense to key
bd3f5647b96d378d9c75c954e3f13582af32c643sf# algorithms.
bd3f5647b96d378d9c75c954e3f13582af32c643sf#
bd3f5647b96d378d9c75c954e3f13582af32c643sf# Note: This property is currently used by Oracle's PKIX implementation. It
2a7beea91d46beb41f043a84eaad060047ee04aafabien# is not guaranteed to be examined and used by other implementations.
2a7beea91d46beb41f043a84eaad060047ee04aafabien#
2a7beea91d46beb41f043a84eaad060047ee04aafabien# Example:
2a7beea91d46beb41f043a84eaad060047ee04aafabien# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
584a85dd4047e38d3ed3a29b6662fcc9d100ae4csf#
584a85dd4047e38d3ed3a29b6662fcc9d100ae4csf#
584a85dd4047e38d3ed3a29b6662fcc9d100ae4csfjdk.certpath.disabledAlgorithms=MD2
f21e9e3d0bfb7a507ecc5bc963f2159d693503d1sf
f21e9e3d0bfb7a507ecc5bc963f2159d693503d1sf# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
f21e9e3d0bfb7a507ecc5bc963f2159d693503d1sf# (SSL/TLS) processing
f6b9c755a0b793e8a3a3aebd327ca20a86478117sf#
f6b9c755a0b793e8a3a3aebd327ca20a86478117sf# In some environments, certain algorithms or key lengths may be undesirable
f6b9c755a0b793e8a3a3aebd327ca20a86478117sf# when using SSL/TLS. This section describes the mechanism for disabling
132ee6ac1c26d6e8953836316ba50734eefab47bsf# algorithms during SSL/TLS security parameters negotiation, including cipher
132ee6ac1c26d6e8953836316ba50734eefab47bsf# suites selection, peer authentication and key exchange mechanisms.
132ee6ac1c26d6e8953836316ba50734eefab47bsf#
85eacfc96a04547ef25aabbc06440039715084c2jorton# For PKI-based peer authentication and key exchange mechanisms, this list
85eacfc96a04547ef25aabbc06440039715084c2jorton# of disabled algorithms will also be checked during certification path
85eacfc96a04547ef25aabbc06440039715084c2jorton# building and validation, including algorithms used in certificates, as
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick# well as revocation information such as CRLs and signed OCSP Responses.
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick# This is in addition to the jdk.certpath.disabledAlgorithms property above.
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick#
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick# See the specification of "jdk.certpath.disabledAlgorithms" for the
79c5787b92ac5f0e1cc82393816c77a006399316trawick# syntax of the disabled algorithm string.
79c5787b92ac5f0e1cc82393816c77a006399316trawick#
79c5787b92ac5f0e1cc82393816c77a006399316trawick# Note: This property is currently used by Oracle's JSSE implementation.
79c5787b92ac5f0e1cc82393816c77a006399316trawick# It is not guaranteed to be examined and used by other implementations.
c967bf3bc89e8aa60dbd30d9da388e448ddc1cc4trawick#
79c5787b92ac5f0e1cc82393816c77a006399316trawick# Example:
79c5787b92ac5f0e1cc82393816c77a006399316trawick# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
79c5787b92ac5f0e1cc82393816c77a006399316trawicki
79c5787b92ac5f0e1cc82393816c77a006399316trawick