java.security-solaris revision 6407
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# This is the "master security properties file".
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# In this file, various security properties are set for use by
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# java.security classes. This is where users can statically register
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# Cryptography Package Providers ("providers" for short). The term
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# "provider" refers to a package or set of packages that supply a
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# concrete implementation of a subset of the cryptography aspects of
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# the Java Security API. A provider may, for example, implement one or
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# more digital signature algorithms or message digest algorithms.
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# Each provider must implement a subclass of the Provider class.
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# To register a provider in this master security properties file,
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# specify the Provider subclass name and priority in the format
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# security.provider.<n>=<className>
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# This declares a provider, and specifies its preference
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# order n. The preference order is the order in which providers are
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# searched for requested algorithms (when no specific provider is
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# requested). The order is 1-based; 1 is the most preferred, followed
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# by 2, and so on.
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# <className> must specify the subclass of the Provider class whose
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# constructor sets the values of various properties that are required
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# for the Java Security API to look up the algorithms or other
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# facilities implemented by the provider.
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# There must be at least one provider specification in java.security.
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# There is a default provider that comes standard with the JDK. It
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# is called the "SUN" provider, and its Provider subclass
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# named Sun appears in the sun.security.provider package. Thus, the
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# "SUN" provider is registered via the following:
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# (The number 1 is used for the default provider.)
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# Note: Providers can be dynamically registered instead by calls to
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# either the addProvider or insertProviderAt method in the Security
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# List of providers and their preference orders (see above):
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomeesecurity.provider.1=com.oracle.security.ucrypto.UcryptoProvider ${java.home}/lib/security/ucrypto-solaris.cfg
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomeesecurity.provider.2=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/sunpkcs11-solaris.cfg
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomeesecurity.provider.6=com.sun.net.ssl.internal.ssl.Provider
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomeesecurity.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# Select the source of seed data for SecureRandom. By default an
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# attempt is made to use the entropy gathering device specified by
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# the securerandom.source property. If an exception occurs when
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# accessing the URL then the traditional system/thread activity
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# algorithm is used.
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# On Solaris and Linux systems, if file:/dev/urandom is specified and it
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# exists, a special SecureRandom implementation is activated by default.
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# This "NativePRNG" reads random bytes directly from /dev/urandom.
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# On Windows systems, the URLs file:/dev/random and file:/dev/urandom
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# enables use of the Microsoft CryptoAPI seed functionality.
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# The entropy gathering device is described as a URL and can also
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# be specified with the system property "java.security.egd". For example,
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# Specifying this system property will override the securerandom.source
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# Class to instantiate as the javax.security.auth.login.Configuration
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomeelogin.configuration.provider=com.sun.security.auth.login.ConfigFile
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# Default login configuration file
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee#login.config.url.1=file:${user.home}/.java.login.config
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# Class to instantiate as the system Policy. This is the name of the class
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# that will be used as the Policy object.
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# The default is to have a single system-wide policy file,
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# and a policy file in the user's home directory.
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomeepolicy.url.1=file:${java.home}/lib/security/java.policy
91cfa10a8e55050a5103c4b2e83b0bf8d783a7cbtomee# whether or not we expand properties in the policy file
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# if this is set to false, properties (${...}) will not be expanded in policy
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# whether or not we allow an extra policy to be passed on the command line
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# with -Djava.security.policy=somefile. Comment out this line to disable
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# this feature.
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# whether or not we look into the IdentityScope for trusted Identities
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# when encountering a 1.1 signed JAR file. If the identity is found
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# and is trusted, we grant it AllPermission.
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# Default keystore type.
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# List of comma-separated packages that start with or equal this string
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# will cause a security exception to be thrown when
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# passed to checkPackageAccess unless the
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# corresponding RuntimePermission ("accessClassInPackage."+package) has
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# been granted.
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# List of comma-separated packages that start with or equal this string
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# will cause a security exception to be thrown when
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# passed to checkPackageDefinition unless the
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# corresponding RuntimePermission ("defineClassInPackage."+package) has
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# been granted.
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# by default, none of the class loaders supplied with the JDK call
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# checkPackageDefinition.
4ae67516a1d5dc4a5dbc761762bad5b596647388tomee# Determines whether this properties file can be appended to
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# or overridden on the command line via -Djava.security.properties
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# Determines the default key and trust manager factory algorithms for
fb3fb4f3d76d55b64440afd0af72775dfad3bd1dtomee# the javax.net.ssl package.
# ocsp.enable=true
# then both the "ocsp.responderCertIssuerName" and
# "ocsp.responderCertSerialNumber" properties must be used instead. When this
# ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
# property is set then the "ocsp.responderCertSerialNumber" property must also
# be set. When the "ocsp.responderCertSubjectName" property is set then this
# ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
# validation. When this property is set then the "ocsp.responderCertIssuerName"
# property must also be set. When the "ocsp.responderCertSubjectName" property
# ocsp.responderCertSerialNumber=2A:FF:00
# more than what is defined in krb5.conf, it will be ignored.
# The blacklist is reset when krb5.conf is reloaded. You can add
# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
# krb5.kdc.bad.policy = tryLast
# krb5.kdc.bad.policy = tryLess:2,2000
krb5.kdc.bad.policy = tryLast
# and/or key length. This includes algorithms used in certificates, as well
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing
# when using SSL/TLS. This section describes the mechanism for disabling
# algorithms during SSL/TLS security parameters negotiation, including cipher
# This is in addition to the jdk.certpath.disabledAlgorithms property above.
# See the specification of "jdk.certpath.disabledAlgorithms" for the
# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048