1N/A# This is the "master security properties file".
1N/A# In this file, various security properties are set for use by
1N/A# Cryptography Package Providers ("providers" for short). The term
1N/A# "provider" refers to a package or set of packages that supply a
1N/A# concrete implementation of a subset of the cryptography aspects of
1N/A# the Java Security API. A provider may, for example, implement one or
1N/A# more digital signature algorithms or message digest algorithms.
1N/A# Each provider must implement a subclass of the Provider class.
1N/A# To register a provider in this master security properties file,
1N/A# specify the Provider subclass name and priority in the format
1N/A# This declares a provider, and specifies its preference
1N/A# order n. The preference order is the order in which providers are
1N/A# searched for requested algorithms (when no specific provider is
1N/A# requested). The order is 1-based; 1 is the most preferred, followed
1N/A# <className> must specify the subclass of the Provider class whose
1N/A# constructor sets the values of various properties that are required
1N/A# for the Java Security API to look up the algorithms or other
1N/A# facilities implemented by the provider.
1N/A# There is a default provider that comes standard with the JDK. It
1N/A# is called the "SUN" provider, and its Provider subclass
1N/A# "SUN" provider is registered via the following:
1N/A# (The number 1 is used for the default provider.)
1N/A# Note: Providers can be dynamically registered instead by calls to
1N/A# either the addProvider or insertProviderAt method in the Security
1N/A# List of providers and their preference orders (see above):
1N/A# Select the source of seed data for SecureRandom. By default an
1N/A# attempt is made to use the entropy gathering device specified by
1N/A# exists, a special SecureRandom implementation is activated by default.
1N/A# enables use of the Microsoft CryptoAPI seed functionality.
1N/A# The entropy gathering device is described as a URL and can also
1N/A# Default login configuration file
1N/A# Class to instantiate as the system Policy. This is the name of the class
1N/A# that will be used as the Policy object.
1N/A# The default is to have a single system-wide policy file,
1N/A# and a policy file in the user's home directory.
1N/A# whether or not we expand properties in the policy file
1N/A# if this is set to false, properties (${...}) will not be expanded in policy
1N/A# whether or not we allow an extra policy to be passed on the command line
1N/A# whether or not we look into the IdentityScope for trusted Identities
1N/A# when encountering a 1.1 signed JAR file. If the identity is found
1N/A# and is trusted, we grant it AllPermission.
1N/A# Default keystore type.
1N/A# List of comma-separated packages that start with or equal this string
1N/A# will cause a security exception to be thrown when
1N/A# passed to checkPackageAccess unless the
1N/A# corresponding RuntimePermission ("accessClassInPackage."+package) has
1N/A# List of comma-separated packages that start with or equal this string
1N/A# will cause a security exception to be thrown when
1N/A# passed to checkPackageDefinition unless the
1N/A# corresponding RuntimePermission ("defineClassInPackage."+package) has
1N/A# by default, none of the class loaders supplied with the JDK call
1N/A# checkPackageDefinition.
1N/A# Determines whether this properties file can be appended to
1N/A# Determines the default key and trust manager factory algorithms for
1N/A# The Java-level namelookup cache policy for successful lookups:
1N/A# any negative value: caching forever
1N/A# any positive value: the number of seconds to cache an address for
1N/A# default value is forever (FOREVER). For security reasons, this
1N/A# caching is made forever when a security manager is set. When a security
1N/A# manager is not set, the default behavior in this implementation
1N/A# is to cache for 30 seconds.
1N/A# NOTE: setting this to anything other than the default value can have
1N/A# serious security implications. Do not set it unless
1N/A# you are sure you are not exposed to DNS spoofing attack.
1N/A# The Java-level namelookup cache policy for failed lookups:
1N/A# any negative value: cache forever
1N/A# any positive value: the number of seconds to cache negative lookup results
1N/A# In some Microsoft Windows networking environments that employ
1N/A# the WINS name service in addition to DNS, name service lookups
1N/A# that fail may take a noticeably long time to return (approx. 5 seconds).
1N/A# For this reason the default caching policy is to maintain these
1N/A# results for 10 seconds.
1N/A# Properties to configure OCSP for certificate revocation checking
1N/A# By default, OCSP is not used for certificate revocation checking.
1N/A# This property enables the use of OCSP when set to the value "true".
1N/A# NOTE: SocketPermission is required to connect to an OCSP responder.
1N/A# Location of the OCSP responder
1N/A# By default, the location of the OCSP responder is determined implicitly
1N/A# from the certificate being validated. This property explicitly specifies
1N/A# the location of the OCSP responder. The property is used when the
1N/A# Authority Information Access extension (defined in RFC 3280) is absent
1N/A# from the certificate or when it requires overriding.
1N/A# Subject name of the OCSP responder's certificate
1N/A# By default, the certificate of the OCSP responder is that of the issuer
1N/A# of the certificate being validated. This property identifies the certificate
1N/A# of the OCSP responder when the default does not apply. Its value is a string
1N/A# distinguished name (defined in RFC 2253) which identifies a certificate in
1N/A# the set of certificates supplied during cert path validation. In cases where
1N/A# the subject name alone is not sufficient to uniquely identify the certificate
1N/A# property is set then those two properties are ignored.
1N/A# Issuer name of the OCSP responder's certificate
1N/A# By default, the certificate of the OCSP responder is that of the issuer
1N/A# of the certificate being validated. This property identifies the certificate
1N/A# of the OCSP responder when the default does not apply. Its value is a string
1N/A# distinguished name (defined in RFC 2253) which identifies a certificate in
1N/A# the set of certificates supplied during cert path validation. When this
1N/A# property is ignored.
1N/A# Serial number of the OCSP responder's certificate
1N/A# By default, the certificate of the OCSP responder is that of the issuer
1N/A# of the certificate being validated. This property identifies the certificate
1N/A# of the OCSP responder when the default does not apply. Its value is a string
1N/A# of hexadecimal digits (colon or space separators may be present) which
1N/A# identifies a certificate in the set of certificates supplied during cert path
1N/A# is set then this property is ignored.
1N/A# Policy for failed Kerberos KDC lookups:
1N/A# When a KDC is unavailable (network error, service failure, etc), it is
1N/A# put inside a blacklist and accessed less often for future requests. The
1N/A# value (case-insensitive) for this policy can be:
1N/A# KDCs in the blacklist are always tried after those not on the list.
1N/A# tryLess[:max_retries,timeout]
1N/A# KDCs in the blacklist are still tried by their order in the configuration,
1N/A# but with smaller max_retries and timeout values. max_retries and timeout
1N/A# are optional numerical parameters (default 1 and 5000, which means once
1N/A# and 5 seconds). Please notes that if any of the values defined here is
1N/A# more than what is defined in
krb5.conf, it will be ignored.
1N/A# Whenever a KDC is detected as available, it is removed from the blacklist.
1N/A# The blacklist is reset when
krb5.conf is reloaded. You can add
1N/A# refreshKrb5Config=true to a JAAS configuration file so that
krb5.conf is
1N/A# reloaded whenever a JAAS authentication is attempted.
1N/A# Algorithm restrictions for certification path (CertPath) processing
1N/A# In some environments, certain algorithms or key lengths may be undesirable
1N/A# for certification path building and validation. For example, "MD2" is
1N/A# generally no longer considered to be a secure hash algorithm. This section
1N/A# describes the mechanism for disabling algorithms based on algorithm name
1N/A#
and/or key length. This includes algorithms used in certificates, as well
1N/A# as revocation information such as CRLs and signed OCSP Responses.
1N/A# The syntax of the disabled algorithm string is described as this Java
1N/A# DisabledAlgorithms:
1N/A# " DisabledAlgorithm { , DisabledAlgorithm } "
1N/A# AlgorithmName [Constraint]
1N/A# keySize Operator DecimalInteger
1N/A# <= | < | == | != | >= | >
1N/A# DecimalDigit {DecimalDigit}
1N/A# DecimalDigit: one of
1N/A# 1 2 3 4 5 6 7 8 9 0
1N/A# The "AlgorithmName" is the standard algorithm name of the disabled
1N/A# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
1N/A# Documentation" for information about Standard Algorithm Names. Matching
1N/A# is performed using a case-insensitive sub-element matching rule. (For
1N/A# example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
1N/A# "ECDSA" for signatures.) If the assertion "AlgorithmName" is a
1N/A# sub-element of the certificate algorithm name, the algorithm will be
1N/A# rejected during certification path building and validation. For example,
1N/A# the assertion algorithm name "DSA" will disable all certificate algorithms
1N/A# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
1N/A# will not disable algorithms related to "ECDSA".
1N/A# A "Constraint" provides further guidance for the algorithm being specified.
1N/A# The "KeySizeConstraint" requires a key of a valid size range if the
1N/A# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
1N/A# key size specified in number of bits. For example, "RSA keySize <= 1024"
1N/A# indicates that any RSA key with key size less than or equal to 1024 bits
1N/A# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
1N/A# that any RSA key with key size less than 1024 or greater than 2048 should
1N/A# be disabled. Note that the "KeySizeConstraint" only makes sense to key
1N/A# Note: This property is currently used by Oracle's PKIX implementation. It
1N/A# is not guaranteed to be examined and used by other implementations.
1N/A# In some environments, certain algorithms or key lengths may be undesirable
1N/A# when using
SSL/TLS. This section describes the mechanism for disabling
1N/A# algorithms during
SSL/TLS security parameters negotiation, including cipher
1N/A# suites selection, peer authentication and key exchange mechanisms.
1N/A# For PKI-based peer authentication and key exchange mechanisms, this list
1N/A# of disabled algorithms will also be checked during certification path
1N/A# building and validation, including algorithms used in certificates, as
1N/A# well as revocation information such as CRLs and signed OCSP Responses.
1N/A# syntax of the disabled algorithm string.
1N/A# Note: This property is currently used by Oracle's JSSE implementation.
1N/A# It is not guaranteed to be examined and used by other implementations.