java.security-windows revision 5085
a9da3307db733eb1739ba859952610bba3d894abnp# This is the "master security properties file".
a9da3307db733eb1739ba859952610bba3d894abnp# In this file, various security properties are set for use by
a9da3307db733eb1739ba859952610bba3d894abnp# java.security classes. This is where users can statically register
a9da3307db733eb1739ba859952610bba3d894abnp# Cryptography Package Providers ("providers" for short). The term
a9da3307db733eb1739ba859952610bba3d894abnp# "provider" refers to a package or set of packages that supply a
a9da3307db733eb1739ba859952610bba3d894abnp# concrete implementation of a subset of the cryptography aspects of
a9da3307db733eb1739ba859952610bba3d894abnp# the Java Security API. A provider may, for example, implement one or
a9da3307db733eb1739ba859952610bba3d894abnp# more digital signature algorithms or message digest algorithms.
a9da3307db733eb1739ba859952610bba3d894abnp# Each provider must implement a subclass of the Provider class.
a9da3307db733eb1739ba859952610bba3d894abnp# To register a provider in this master security properties file,
a9da3307db733eb1739ba859952610bba3d894abnp# specify the Provider subclass name and priority in the format
a9da3307db733eb1739ba859952610bba3d894abnp# security.provider.<n>=<className>
a9da3307db733eb1739ba859952610bba3d894abnp# This declares a provider, and specifies its preference
a9da3307db733eb1739ba859952610bba3d894abnp# order n. The preference order is the order in which providers are
a9da3307db733eb1739ba859952610bba3d894abnp# searched for requested algorithms (when no specific provider is
a9da3307db733eb1739ba859952610bba3d894abnp# requested). The order is 1-based; 1 is the most preferred, followed
a9da3307db733eb1739ba859952610bba3d894abnp# by 2, and so on.
a9da3307db733eb1739ba859952610bba3d894abnp# <className> must specify the subclass of the Provider class whose
a9da3307db733eb1739ba859952610bba3d894abnp# constructor sets the values of various properties that are required
a9da3307db733eb1739ba859952610bba3d894abnp# for the Java Security API to look up the algorithms or other
a9da3307db733eb1739ba859952610bba3d894abnp# facilities implemented by the provider.
a9da3307db733eb1739ba859952610bba3d894abnp# There must be at least one provider specification in java.security.
a9da3307db733eb1739ba859952610bba3d894abnp# There is a default provider that comes standard with the JDK. It
a9da3307db733eb1739ba859952610bba3d894abnp# is called the "SUN" provider, and its Provider subclass
a9da3307db733eb1739ba859952610bba3d894abnp# named Sun appears in the sun.security.provider package. Thus, the
a9da3307db733eb1739ba859952610bba3d894abnp# "SUN" provider is registered via the following:
a9da3307db733eb1739ba859952610bba3d894abnp# (The number 1 is used for the default provider.)
# the securerandom.source property. If an exception occurs when
# accessing the URL then the traditional system/thread activity
# On Solaris and Linux systems, if file:/dev/urandom is specified and it
# This "NativePRNG" reads random bytes directly from /dev/urandom.
# be specified with the system property "java.security.egd". For example,
# Specifying this system property will override the securerandom.source
# Class to instantiate as the javax.security.auth.login.Configuration
# with -Djava.security.policy=somefile. Comment out this line to disable
keystore.type=jks
package.access=sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.
package.definition=sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.
# or overridden on the command line via -Djava.security.properties
# the javax.net.ssl package.
ssl.KeyManagerFactory.algorithm=SunX509
# ocsp.enable=true
# then both the "ocsp.responderCertIssuerName" and
# "ocsp.responderCertSerialNumber" properties must be used instead. When this
# ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
# property is set then the "ocsp.responderCertSerialNumber" property must also
# be set. When the "ocsp.responderCertSubjectName" property is set then this
# ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
# validation. When this property is set then the "ocsp.responderCertIssuerName"
# property must also be set. When the "ocsp.responderCertSubjectName" property
# ocsp.responderCertSerialNumber=2A:FF:00
# more than what is defined in krb5.conf, it will be ignored.
# The blacklist is reset when krb5.conf is reloaded. You can add
# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
# krb5.kdc.bad.policy = tryLast
# krb5.kdc.bad.policy = tryLess:2,2000
krb5.kdc.bad.policy = tryLast
# and/or key length. This includes algorithms used in certificates, as well
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing
# when using SSL/TLS. This section describes the mechanism for disabling
# algorithms during SSL/TLS security parameters negotiation, including cipher
# This is in addition to the jdk.certpath.disabledAlgorithms property above.
# See the specification of "jdk.certpath.disabledAlgorithms" for the
# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048