java.security-solaris revision 5696
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# This is the "master security properties file".
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# In this file, various security properties are set for use by
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# java.security classes. This is where users can statically register
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# Cryptography Package Providers ("providers" for short). The term
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# "provider" refers to a package or set of packages that supply a
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# concrete implementation of a subset of the cryptography aspects of
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# the Java Security API. A provider may, for example, implement one or
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# more digital signature algorithms or message digest algorithms.
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# Each provider must implement a subclass of the Provider class.
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# To register a provider in this master security properties file,
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# specify the Provider subclass name and priority in the format
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# security.provider.<n>=<className>
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# This declares a provider, and specifies its preference
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# order n. The preference order is the order in which providers are
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# searched for requested algorithms (when no specific provider is
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# requested). The order is 1-based; 1 is the most preferred, followed
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# by 2, and so on.
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# <className> must specify the subclass of the Provider class whose
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# constructor sets the values of various properties that are required
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# for the Java Security API to look up the algorithms or other
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# facilities implemented by the provider.
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# There must be at least one provider specification in java.security.
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# There is a default provider that comes standard with the JDK. It
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# is called the "SUN" provider, and its Provider subclass
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# named Sun appears in the sun.security.provider package. Thus, the
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# "SUN" provider is registered via the following:
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# (The number 1 is used for the default provider.)
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# Note: Providers can be dynamically registered instead by calls to
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# either the addProvider or insertProviderAt method in the Security
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# List of providers and their preference orders (see above):
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsyncsecurity.provider.1=com.oracle.security.ucrypto.UcryptoProvider ${java.home}/lib/security/ucrypto-solaris.cfg
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsyncsecurity.provider.2=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/sunpkcs11-solaris.cfg
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsyncsecurity.provider.6=com.sun.net.ssl.internal.ssl.Provider
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsyncsecurity.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsyncsecurity.provider.11=sun.security.smartcardio.SunPCSC
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# Select the source of seed data for SecureRandom. By default an
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# attempt is made to use the entropy gathering device specified by
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# the securerandom.source property. If an exception occurs when
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# accessing the URL then the traditional system/thread activity
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# algorithm is used.
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# On Solaris and Linux systems, if file:/dev/urandom is specified and it
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# exists, a special SecureRandom implementation is activated by default.
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# This "NativePRNG" reads random bytes directly from /dev/urandom.
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# On Windows systems, the URLs file:/dev/random and file:/dev/urandom
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# enables use of the Microsoft CryptoAPI seed functionality.
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# The entropy gathering device is described as a URL and can also
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# be specified with the system property "java.security.egd". For example,
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# Specifying this system property will override the securerandom.source
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# Class to instantiate as the javax.security.auth.login.Configuration
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsynclogin.configuration.provider=com.sun.security.auth.login.ConfigFile
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# Default login configuration file
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync#login.config.url.1=file:${user.home}/.java.login.config
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# Class to instantiate as the system Policy. This is the name of the class
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# that will be used as the Policy object.
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# The default is to have a single system-wide policy file,
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# and a policy file in the user's home directory.
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsyncpolicy.url.1=file:${java.home}/lib/security/java.policy
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# whether or not we expand properties in the policy file
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# if this is set to false, properties (${...}) will not be expanded in policy
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# whether or not we allow an extra policy to be passed on the command line
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# with -Djava.security.policy=somefile. Comment out this line to disable
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# this feature.
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# whether or not we look into the IdentityScope for trusted Identities
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# when encountering a 1.1 signed JAR file. If the identity is found
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# and is trusted, we grant it AllPermission.
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# Default keystore type.
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# List of comma-separated packages that start with or equal this string
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# will cause a security exception to be thrown when
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# passed to checkPackageAccess unless the
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# corresponding RuntimePermission ("accessClassInPackage."+package) has
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# been granted.
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# List of comma-separated packages that start with or equal this string
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# will cause a security exception to be thrown when
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# passed to checkPackageDefinition unless the
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# corresponding RuntimePermission ("defineClassInPackage."+package) has
61cb83a8ccd1dd7f671f31fa93c9d8b7be09b4ccvboxsync# been granted.
package.definition=sun.,\
# or overridden on the command line via -Djava.security.properties
# the javax.net.ssl package.
ssl.KeyManagerFactory.algorithm=SunX509
# ocsp.enable=true
# then both the "ocsp.responderCertIssuerName" and
# "ocsp.responderCertSerialNumber" properties must be used instead. When this
# ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
# property is set then the "ocsp.responderCertSerialNumber" property must also
# be set. When the "ocsp.responderCertSubjectName" property is set then this
# ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
# validation. When this property is set then the "ocsp.responderCertIssuerName"
# property must also be set. When the "ocsp.responderCertSubjectName" property
# ocsp.responderCertSerialNumber=2A:FF:00
# more than what is defined in krb5.conf, it will be ignored.
# The blacklist is reset when krb5.conf is reloaded. You can add
# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
# krb5.kdc.bad.policy = tryLast
# krb5.kdc.bad.policy = tryLess:2,2000
krb5.kdc.bad.policy = tryLast
# and/or key length. This includes algorithms used in certificates, as well
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing
# when using SSL/TLS. This section describes the mechanism for disabling
# algorithms during SSL/TLS security parameters negotiation, including cipher
# This is in addition to the jdk.certpath.disabledAlgorithms property above.
# See the specification of "jdk.certpath.disabledAlgorithms" for the
# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048