java.security-windows revision 5696
96fc773162e93e5b85686ab152f11baf4498d868rbb#
6f06d481dafc90f1b553f1d2828bcea50a039854fielding# This is the "master security properties file".
c9dafaafc2650994e47f88f5239f643c97ec4cb3wrowe#
c9dafaafc2650994e47f88f5239f643c97ec4cb3wrowe# In this file, various security properties are set for use by
c9dafaafc2650994e47f88f5239f643c97ec4cb3wrowe# java.security classes. This is where users can statically register
c9dafaafc2650994e47f88f5239f643c97ec4cb3wrowe# Cryptography Package Providers ("providers" for short). The term
c9dafaafc2650994e47f88f5239f643c97ec4cb3wrowe# "provider" refers to a package or set of packages that supply a
41aef8943f349ee0b5b510dd436301b4c33c628cwrowe# concrete implementation of a subset of the cryptography aspects of
41aef8943f349ee0b5b510dd436301b4c33c628cwrowe# the Java Security API. A provider may, for example, implement one or
bb360f1d9bdce4f55f290de07a711db006b25957wrowe# more digital signature algorithms or message digest algorithms.
5727f68f33838686d447f55a100309e54efb20f8fielding#
5727f68f33838686d447f55a100309e54efb20f8fielding# Each provider must implement a subclass of the Provider class.
5727f68f33838686d447f55a100309e54efb20f8fielding# To register a provider in this master security properties file,
5727f68f33838686d447f55a100309e54efb20f8fielding# specify the Provider subclass name and priority in the format
5727f68f33838686d447f55a100309e54efb20f8fielding#
d28c69d8e5f2e88e653d61436bb6fa6302a212b4rbb# security.provider.<n>=<className>
d28c69d8e5f2e88e653d61436bb6fa6302a212b4rbb#
d28c69d8e5f2e88e653d61436bb6fa6302a212b4rbb# This declares a provider, and specifies its preference
d28c69d8e5f2e88e653d61436bb6fa6302a212b4rbb# order n. The preference order is the order in which providers are
d28c69d8e5f2e88e653d61436bb6fa6302a212b4rbb# searched for requested algorithms (when no specific provider is
b974a8fc59a9d6193305dcd8690992a411d88232rbb# requested). The order is 1-based; 1 is the most preferred, followed
b974a8fc59a9d6193305dcd8690992a411d88232rbb# by 2, and so on.
b974a8fc59a9d6193305dcd8690992a411d88232rbb#
b974a8fc59a9d6193305dcd8690992a411d88232rbb# <className> must specify the subclass of the Provider class whose
b974a8fc59a9d6193305dcd8690992a411d88232rbb# constructor sets the values of various properties that are required
fa996ff928f6170678c8789c8073c368f56d770arbb# for the Java Security API to look up the algorithms or other
fa996ff928f6170678c8789c8073c368f56d770arbb# facilities implemented by the provider.
fa996ff928f6170678c8789c8073c368f56d770arbb#
fa996ff928f6170678c8789c8073c368f56d770arbb# There must be at least one provider specification in java.security.
fa996ff928f6170678c8789c8073c368f56d770arbb# There is a default provider that comes standard with the JDK. It
fa996ff928f6170678c8789c8073c368f56d770arbb# is called the "SUN" provider, and its Provider subclass
a1bbc66131c63e718e3f73fc11a348f7552d7947rbb# named Sun appears in the sun.security.provider package. Thus, the
a1bbc66131c63e718e3f73fc11a348f7552d7947rbb# "SUN" provider is registered via the following:
a1bbc66131c63e718e3f73fc11a348f7552d7947rbb#
b31025f6f2c0392dc76eecca7f27faad0b902be0wrowe# security.provider.1=sun.security.provider.Sun
b31025f6f2c0392dc76eecca7f27faad0b902be0wrowe#
b31025f6f2c0392dc76eecca7f27faad0b902be0wrowe# (The number 1 is used for the default provider.)
b31025f6f2c0392dc76eecca7f27faad0b902be0wrowe#
b31025f6f2c0392dc76eecca7f27faad0b902be0wrowe# Note: Providers can be dynamically registered instead by calls to
b31025f6f2c0392dc76eecca7f27faad0b902be0wrowe# either the addProvider or insertProviderAt method in the Security
4783bc116b4dc37deadcc0b68ce3d3eeb6a7464aben# class.
4783bc116b4dc37deadcc0b68ce3d3eeb6a7464aben
4783bc116b4dc37deadcc0b68ce3d3eeb6a7464aben#
4783bc116b4dc37deadcc0b68ce3d3eeb6a7464aben# List of providers and their preference orders (see above):
4783bc116b4dc37deadcc0b68ce3d3eeb6a7464aben#
fcc25eda7b150e226d3c1cdaea66a943d3fdee4erbbsecurity.provider.1=sun.security.provider.Sun
fcc25eda7b150e226d3c1cdaea66a943d3fdee4erbbsecurity.provider.2=sun.security.rsa.SunRsaSign
fcc25eda7b150e226d3c1cdaea66a943d3fdee4erbbsecurity.provider.3=sun.security.ec.SunEC
fcc25eda7b150e226d3c1cdaea66a943d3fdee4erbbsecurity.provider.4=com.sun.net.ssl.internal.ssl.Provider
fcc25eda7b150e226d3c1cdaea66a943d3fdee4erbbsecurity.provider.5=com.sun.crypto.provider.SunJCE
fcc25eda7b150e226d3c1cdaea66a943d3fdee4erbbsecurity.provider.6=sun.security.jgss.SunProvider
fcc25eda7b150e226d3c1cdaea66a943d3fdee4erbbsecurity.provider.7=com.sun.security.sasl.Provider
fcc25eda7b150e226d3c1cdaea66a943d3fdee4erbbsecurity.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
fcc25eda7b150e226d3c1cdaea66a943d3fdee4erbbsecurity.provider.9=sun.security.smartcardio.SunPCSC
cab10c98980b42562a7850410cecd37798e170ecrbbsecurity.provider.10=sun.security.mscapi.SunMSCAPI
cab10c98980b42562a7850410cecd37798e170ecrbb
cab10c98980b42562a7850410cecd37798e170ecrbb#
cab10c98980b42562a7850410cecd37798e170ecrbb# Select the source of seed data for SecureRandom. By default an
cab10c98980b42562a7850410cecd37798e170ecrbb# attempt is made to use the entropy gathering device specified by
71715c646d5231de578431f8961e711764b899d3fanf# the securerandom.source property. If an exception occurs when
71715c646d5231de578431f8961e711764b899d3fanf# accessing the URL then the traditional system/thread activity
71715c646d5231de578431f8961e711764b899d3fanf# algorithm is used.
2714d6002fcdf12f5b26cc948c9f2f03ca5e7ee9rbb#
2714d6002fcdf12f5b26cc948c9f2f03ca5e7ee9rbb# On Solaris and Linux systems, if file:/dev/urandom is specified and it
2714d6002fcdf12f5b26cc948c9f2f03ca5e7ee9rbb# exists, a special SecureRandom implementation is activated by default.
2714d6002fcdf12f5b26cc948c9f2f03ca5e7ee9rbb# This "NativePRNG" reads random bytes directly from /dev/urandom.
2714d6002fcdf12f5b26cc948c9f2f03ca5e7ee9rbb#
8695c28e4d0bb9357f606045b37238d4f49ce8b6rbb# On Windows systems, the URLs file:/dev/random and file:/dev/urandom
8695c28e4d0bb9357f606045b37238d4f49ce8b6rbb# enables use of the Microsoft CryptoAPI seed functionality.
8695c28e4d0bb9357f606045b37238d4f49ce8b6rbb#
8695c28e4d0bb9357f606045b37238d4f49ce8b6rbbsecurerandom.source=file:/dev/urandom
8695c28e4d0bb9357f606045b37238d4f49ce8b6rbb#
8695c28e4d0bb9357f606045b37238d4f49ce8b6rbb# The entropy gathering device is described as a URL and can also
5f69f46ccdf50afd8f0a23f134746e6066185e89rbb# be specified with the system property "java.security.egd". For example,
5f69f46ccdf50afd8f0a23f134746e6066185e89rbb# -Djava.security.egd=file:/dev/urandom
5f69f46ccdf50afd8f0a23f134746e6066185e89rbb# Specifying this system property will override the securerandom.source
5f69f46ccdf50afd8f0a23f134746e6066185e89rbb# setting.
5f69f46ccdf50afd8f0a23f134746e6066185e89rbb
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe#
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe# Class to instantiate as the javax.security.auth.login.Configuration
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe# provider.
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe#
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowelogin.configuration.provider=com.sun.security.auth.login.ConfigFile
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe#
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe# Default login configuration file
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe#
a1e0709c89175c34a3f72eb4a83d7ee1621a0884rbb#login.config.url.1=file:${user.home}/.java.login.config
a1e0709c89175c34a3f72eb4a83d7ee1621a0884rbb
a1e0709c89175c34a3f72eb4a83d7ee1621a0884rbb#
a1e0709c89175c34a3f72eb4a83d7ee1621a0884rbb# Class to instantiate as the system Policy. This is the name of the class
4b13b6bcdcfae61d3c58cc2569757651f28f2bbfrbb# that will be used as the Policy object.
4b13b6bcdcfae61d3c58cc2569757651f28f2bbfrbb#
4b13b6bcdcfae61d3c58cc2569757651f28f2bbfrbbpolicy.provider=sun.security.provider.PolicyFile
34ea1d36f4e1c8d66338e691793017d105cc9c32rbb
34ea1d36f4e1c8d66338e691793017d105cc9c32rbb# The default is to have a single system-wide policy file,
34ea1d36f4e1c8d66338e691793017d105cc9c32rbb# and a policy file in the user's home directory.
34ea1d36f4e1c8d66338e691793017d105cc9c32rbbpolicy.url.1=file:${java.home}/lib/security/java.policy
2c8f06bf370a44a3d0544ed5319355463c417132gregamespolicy.url.2=file:${user.home}/.java.policy
2c8f06bf370a44a3d0544ed5319355463c417132gregames
2c8f06bf370a44a3d0544ed5319355463c417132gregames# whether or not we expand properties in the policy file
db06e09891b001667974483058923b88c3258324rbb# if this is set to false, properties (${...}) will not be expanded in policy
db06e09891b001667974483058923b88c3258324rbb# files.
db06e09891b001667974483058923b88c3258324rbbpolicy.expandProperties=true
db06e09891b001667974483058923b88c3258324rbb
db06e09891b001667974483058923b88c3258324rbb# whether or not we allow an extra policy to be passed on the command line
8ba9d5e9aaaa79dba0de13f5c1b6e725d98f1dc2fanf# with -Djava.security.policy=somefile. Comment out this line to disable
8ba9d5e9aaaa79dba0de13f5c1b6e725d98f1dc2fanf# this feature.
8ba9d5e9aaaa79dba0de13f5c1b6e725d98f1dc2fanfpolicy.allowSystemProperty=true
8ba9d5e9aaaa79dba0de13f5c1b6e725d98f1dc2fanf
26cf4d32b4ff8807a64b0cfa6865a7d6d171c68efanf# whether or not we look into the IdentityScope for trusted Identities
26cf4d32b4ff8807a64b0cfa6865a7d6d171c68efanf# when encountering a 1.1 signed JAR file. If the identity is found
26cf4d32b4ff8807a64b0cfa6865a7d6d171c68efanf# and is trusted, we grant it AllPermission.
06c107289de0a0888386e0bc08ef9fc60aacd8bctrawickpolicy.ignoreIdentityScope=false
06c107289de0a0888386e0bc08ef9fc60aacd8bctrawick
06c107289de0a0888386e0bc08ef9fc60aacd8bctrawick#
06c107289de0a0888386e0bc08ef9fc60aacd8bctrawick# Default keystore type.
f4ab6acec7b02518869ca649ce2d3ceeb92d282etrawick#
f4ab6acec7b02518869ca649ce2d3ceeb92d282etrawickkeystore.type=jks
f4ab6acec7b02518869ca649ce2d3ceeb92d282etrawick
b0bd38b2226e5cfb86cce6ed1991723f4c9e4f68trawick#
bf9902ea6090f94c9ee0aaddd80b419a184ffe55jim# List of comma-separated packages that start with or equal this string
bf9902ea6090f94c9ee0aaddd80b419a184ffe55jim# will cause a security exception to be thrown when
bf9902ea6090f94c9ee0aaddd80b419a184ffe55jim# passed to checkPackageAccess unless the
bf9902ea6090f94c9ee0aaddd80b419a184ffe55jim# corresponding RuntimePermission ("accessClassInPackage."+package) has
bf9902ea6090f94c9ee0aaddd80b419a184ffe55jim# been granted.
bf9902ea6090f94c9ee0aaddd80b419a184ffe55jimpackage.access=sun.,\
bf9902ea6090f94c9ee0aaddd80b419a184ffe55jim com.sun.xml.internal.,\
0b34df54ff22d0ca05eb8e9d7c9610138a878c83rbb com.sun.imageio.,\
0b34df54ff22d0ca05eb8e9d7c9610138a878c83rbb com.sun.org.apache.xerces.internal.utils.,\
0b34df54ff22d0ca05eb8e9d7c9610138a878c83rbb com.sun.org.apache.xalan.internal.utils.,\
83047afdc49c183cdca6373dba6a0c6afa638f12gstein com.sun.org.glassfish.external.,\
0b34df54ff22d0ca05eb8e9d7c9610138a878c83rbb com.sun.org.glassfish.gmbal.
c8cc46d12794845f39fa154224075a3bbe57a4c8ben
c8cc46d12794845f39fa154224075a3bbe57a4c8ben#
5dea9095cbfab622c65e5f2f806007aaa7d7761arbb# List of comma-separated packages that start with or equal this string
5dea9095cbfab622c65e5f2f806007aaa7d7761arbb# will cause a security exception to be thrown when
5dea9095cbfab622c65e5f2f806007aaa7d7761arbb# passed to checkPackageDefinition unless the
5dea9095cbfab622c65e5f2f806007aaa7d7761arbb# corresponding RuntimePermission ("defineClassInPackage."+package) has
5dea9095cbfab622c65e5f2f806007aaa7d7761arbb# been granted.
365c33fd9c0fc3ac27c0bd1d360a5a94980c576atrawick#
365c33fd9c0fc3ac27c0bd1d360a5a94980c576atrawick# by default, none of the class loaders supplied with the JDK call
365c33fd9c0fc3ac27c0bd1d360a5a94980c576atrawick# checkPackageDefinition.
0ea568e49752d337d2b513cce07f2a6f4699d6eatrawick#
0ea568e49752d337d2b513cce07f2a6f4699d6eatrawickpackage.definition=sun.,\
0ea568e49752d337d2b513cce07f2a6f4699d6eatrawick com.sun.xml.internal.,\
b7a0ad483b54711addc5f43f679189619a23c749ben com.sun.imageio.,\
b7a0ad483b54711addc5f43f679189619a23c749ben com.sun.org.apache.xerces.internal.utils.,\
328d02603f471fad56cc5588fc9e93f589593ad0rbb com.sun.org.apache.xalan.internal.utils.,\
328d02603f471fad56cc5588fc9e93f589593ad0rbb com.sun.org.glassfish.external.,\
1c850e9f96375578e43e5f69ba7499a543b2a7bdtrawick com.sun.org.glassfish.gmbal.
1c850e9f96375578e43e5f69ba7499a543b2a7bdtrawick
1c850e9f96375578e43e5f69ba7499a543b2a7bdtrawick#
48a2f5e2c189669b025d462f44fda5d4b45e8d78trawick# Determines whether this properties file can be appended to
48a2f5e2c189669b025d462f44fda5d4b45e8d78trawick# or overridden on the command line via -Djava.security.properties
48a2f5e2c189669b025d462f44fda5d4b45e8d78trawick#
48a2f5e2c189669b025d462f44fda5d4b45e8d78trawicksecurity.overridePropertiesFile=true
48a2f5e2c189669b025d462f44fda5d4b45e8d78trawick
48a2f5e2c189669b025d462f44fda5d4b45e8d78trawick#
48a2f5e2c189669b025d462f44fda5d4b45e8d78trawick# Determines the default key and trust manager factory algorithms for
b22fb75c37b70fbe176afdb8081c3ce2dba86db4rbb# the javax.net.ssl package.
b22fb75c37b70fbe176afdb8081c3ce2dba86db4rbb#
b22fb75c37b70fbe176afdb8081c3ce2dba86db4rbbssl.KeyManagerFactory.algorithm=SunX509
b22fb75c37b70fbe176afdb8081c3ce2dba86db4rbbssl.TrustManagerFactory.algorithm=PKIX
b22fb75c37b70fbe176afdb8081c3ce2dba86db4rbb
8fccb89ed59d5c80c76a818f7ca02bb0d068d4d3rbb#
8fccb89ed59d5c80c76a818f7ca02bb0d068d4d3rbb# The Java-level namelookup cache policy for successful lookups:
8fccb89ed59d5c80c76a818f7ca02bb0d068d4d3rbb#
8fccb89ed59d5c80c76a818f7ca02bb0d068d4d3rbb# any negative value: caching forever
8fccb89ed59d5c80c76a818f7ca02bb0d068d4d3rbb# any positive value: the number of seconds to cache an address for
da07a882b90b44243c9cd88ac09a789999dccc4drbb# zero: do not cache
da07a882b90b44243c9cd88ac09a789999dccc4drbb#
da07a882b90b44243c9cd88ac09a789999dccc4drbb# default value is forever (FOREVER). For security reasons, this
da07a882b90b44243c9cd88ac09a789999dccc4drbb# caching is made forever when a security manager is set. When a security
da07a882b90b44243c9cd88ac09a789999dccc4drbb# manager is not set, the default behavior in this implementation
4a5c8a77f48f0cf10bfe70479d0a2e8e7d6cd917rbb# is to cache for 30 seconds.
4a5c8a77f48f0cf10bfe70479d0a2e8e7d6cd917rbb#
4a5c8a77f48f0cf10bfe70479d0a2e8e7d6cd917rbb# NOTE: setting this to anything other than the default value can have
4a5c8a77f48f0cf10bfe70479d0a2e8e7d6cd917rbb# serious security implications. Do not set it unless
4a5c8a77f48f0cf10bfe70479d0a2e8e7d6cd917rbb# you are sure you are not exposed to DNS spoofing attack.
4a5c8a77f48f0cf10bfe70479d0a2e8e7d6cd917rbb#
5bf029f8452b6aa105cf3d9d9b19221920725428rbb#networkaddress.cache.ttl=-1
5bf029f8452b6aa105cf3d9d9b19221920725428rbb
5bf029f8452b6aa105cf3d9d9b19221920725428rbb# The Java-level namelookup cache policy for failed lookups:
60ed053fe71b1e3cfab8c4ed37afde30a6db4841rbb#
60ed053fe71b1e3cfab8c4ed37afde30a6db4841rbb# any negative value: cache forever
60ed053fe71b1e3cfab8c4ed37afde30a6db4841rbb# any positive value: the number of seconds to cache negative lookup results
e03878add0099ba9741efc46d545955a60ea8bdcrbb# zero: do not cache
e03878add0099ba9741efc46d545955a60ea8bdcrbb#
e03878add0099ba9741efc46d545955a60ea8bdcrbb# In some Microsoft Windows networking environments that employ
e03878add0099ba9741efc46d545955a60ea8bdcrbb# the WINS name service in addition to DNS, name service lookups
1860b2b5f1de31f8cf9d95f1b394fe98c8dbfab7rbb# that fail may take a noticeably long time to return (approx. 5 seconds).
1860b2b5f1de31f8cf9d95f1b394fe98c8dbfab7rbb# For this reason the default caching policy is to maintain these
1860b2b5f1de31f8cf9d95f1b394fe98c8dbfab7rbb# results for 10 seconds.
9ec65cbae2f760e485a1c54df5b19853688d5c91wrowe#
9ec65cbae2f760e485a1c54df5b19853688d5c91wrowe#
9ec65cbae2f760e485a1c54df5b19853688d5c91wrowenetworkaddress.cache.negative.ttl=10
9ec65cbae2f760e485a1c54df5b19853688d5c91wrowe
9ec65cbae2f760e485a1c54df5b19853688d5c91wrowe#
9ec65cbae2f760e485a1c54df5b19853688d5c91wrowe# Properties to configure OCSP for certificate revocation checking
9ec65cbae2f760e485a1c54df5b19853688d5c91wrowe#
9ec65cbae2f760e485a1c54df5b19853688d5c91wrowe
a8c0c0b8d7dada680bd3f3d70f78ce0656ba5aa6trawick# Enable OCSP
a8c0c0b8d7dada680bd3f3d70f78ce0656ba5aa6trawick#
a8c0c0b8d7dada680bd3f3d70f78ce0656ba5aa6trawick# By default, OCSP is not used for certificate revocation checking.
a8c0c0b8d7dada680bd3f3d70f78ce0656ba5aa6trawick# This property enables the use of OCSP when set to the value "true".
a8c0c0b8d7dada680bd3f3d70f78ce0656ba5aa6trawick#
a8c0c0b8d7dada680bd3f3d70f78ce0656ba5aa6trawick# NOTE: SocketPermission is required to connect to an OCSP responder.
77c656dabf05adcdee0d30b15b4628be738a1913rbb#
77c656dabf05adcdee0d30b15b4628be738a1913rbb# Example,
77c656dabf05adcdee0d30b15b4628be738a1913rbb# ocsp.enable=true
77c656dabf05adcdee0d30b15b4628be738a1913rbb
77c656dabf05adcdee0d30b15b4628be738a1913rbb#
7e73041858979fd162c849cc2e7447beb51eedf8rbb# Location of the OCSP responder
7e73041858979fd162c849cc2e7447beb51eedf8rbb#
886cd69ebf69e990dbc365be87ff8ea7cd681904rbb# By default, the location of the OCSP responder is determined implicitly
886cd69ebf69e990dbc365be87ff8ea7cd681904rbb# from the certificate being validated. This property explicitly specifies
886cd69ebf69e990dbc365be87ff8ea7cd681904rbb# the location of the OCSP responder. The property is used when the
a8c0c0b8d7dada680bd3f3d70f78ce0656ba5aa6trawick# Authority Information Access extension (defined in RFC 3280) is absent
886cd69ebf69e990dbc365be87ff8ea7cd681904rbb# from the certificate or when it requires overriding.
886cd69ebf69e990dbc365be87ff8ea7cd681904rbb#
886cd69ebf69e990dbc365be87ff8ea7cd681904rbb# Example,
db9ac238bf63d7df2bebbaff4de1628a32151028trawick# ocsp.responderURL=http://ocsp.example.net:80
ce121a776564df6bb75498209094142d92404b8atrawick
ce121a776564df6bb75498209094142d92404b8atrawick#
ce121a776564df6bb75498209094142d92404b8atrawick# Subject name of the OCSP responder's certificate
e1ade9256c87684358786fcf7eef251bd4c1db10rbb#
e1ade9256c87684358786fcf7eef251bd4c1db10rbb# By default, the certificate of the OCSP responder is that of the issuer
e1ade9256c87684358786fcf7eef251bd4c1db10rbb# of the certificate being validated. This property identifies the certificate
e1ade9256c87684358786fcf7eef251bd4c1db10rbb# of the OCSP responder when the default does not apply. Its value is a string
e1ade9256c87684358786fcf7eef251bd4c1db10rbb# distinguished name (defined in RFC 2253) which identifies a certificate in
e1ade9256c87684358786fcf7eef251bd4c1db10rbb# the set of certificates supplied during cert path validation. In cases where
db9ac238bf63d7df2bebbaff4de1628a32151028trawick# the subject name alone is not sufficient to uniquely identify the certificate
db9ac238bf63d7df2bebbaff4de1628a32151028trawick# then both the "ocsp.responderCertIssuerName" and
db9ac238bf63d7df2bebbaff4de1628a32151028trawick# "ocsp.responderCertSerialNumber" properties must be used instead. When this
eae32ab3fb398ca408bc2d45b22adf1b67a75471rbb# property is set then those two properties are ignored.
eae32ab3fb398ca408bc2d45b22adf1b67a75471rbb#
d1d25826dbd7d2ba97db90b77122ae2b0f363e89rbb# Example,
d1d25826dbd7d2ba97db90b77122ae2b0f363e89rbb# ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
d1d25826dbd7d2ba97db90b77122ae2b0f363e89rbb
42ec91fadb5532438ab4c02993b15c18a517967frbb#
42ec91fadb5532438ab4c02993b15c18a517967frbb# Issuer name of the OCSP responder's certificate
42ec91fadb5532438ab4c02993b15c18a517967frbb#
42ec91fadb5532438ab4c02993b15c18a517967frbb# By default, the certificate of the OCSP responder is that of the issuer
42ec91fadb5532438ab4c02993b15c18a517967frbb# of the certificate being validated. This property identifies the certificate
96fc773162e93e5b85686ab152f11baf4498d868rbb# of the OCSP responder when the default does not apply. Its value is a string
2975523a2901fc601ae9510082a7d4fb11bb9aecake# distinguished name (defined in RFC 2253) which identifies a certificate in
2975523a2901fc601ae9510082a7d4fb11bb9aecake# the set of certificates supplied during cert path validation. When this
2975523a2901fc601ae9510082a7d4fb11bb9aecake# property is set then the "ocsp.responderCertSerialNumber" property must also
5827adc4c40ff4b10db9b09cea43f4307c8fc319trawick# be set. When the "ocsp.responderCertSubjectName" property is set then this
5827adc4c40ff4b10db9b09cea43f4307c8fc319trawick# property is ignored.
5827adc4c40ff4b10db9b09cea43f4307c8fc319trawick#
5827adc4c40ff4b10db9b09cea43f4307c8fc319trawick# Example,
5827adc4c40ff4b10db9b09cea43f4307c8fc319trawick# ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
5827adc4c40ff4b10db9b09cea43f4307c8fc319trawick
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
e7270e4daeb3e62414b361ca2bf0e707d0ae3310wrowe# Serial number of the OCSP responder's certificate
e7270e4daeb3e62414b361ca2bf0e707d0ae3310wrowe#
e7270e4daeb3e62414b361ca2bf0e707d0ae3310wrowe# By default, the certificate of the OCSP responder is that of the issuer
e7270e4daeb3e62414b361ca2bf0e707d0ae3310wrowe# of the certificate being validated. This property identifies the certificate
e7270e4daeb3e62414b361ca2bf0e707d0ae3310wrowe# of the OCSP responder when the default does not apply. Its value is a string
e7270e4daeb3e62414b361ca2bf0e707d0ae3310wrowe# of hexadecimal digits (colon or space separators may be present) which
f6e9f5600e77b78fb013bb543d364135961639d1rbb# identifies a certificate in the set of certificates supplied during cert path
f6e9f5600e77b78fb013bb543d364135961639d1rbb# validation. When this property is set then the "ocsp.responderCertIssuerName"
f6e9f5600e77b78fb013bb543d364135961639d1rbb# property must also be set. When the "ocsp.responderCertSubjectName" property
f6e9f5600e77b78fb013bb543d364135961639d1rbb# is set then this property is ignored.
f6e9f5600e77b78fb013bb543d364135961639d1rbb#
f6e9f5600e77b78fb013bb543d364135961639d1rbb# Example,
f6e9f5600e77b78fb013bb543d364135961639d1rbb# ocsp.responderCertSerialNumber=2A:FF:00
f6e9f5600e77b78fb013bb543d364135961639d1rbb
f6e9f5600e77b78fb013bb543d364135961639d1rbb#
f6e9f5600e77b78fb013bb543d364135961639d1rbb# Policy for failed Kerberos KDC lookups:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
b580e99ec29c68e3c56b5b1ad8a4ec1e2de865c0trawick# When a KDC is unavailable (network error, service failure, etc), it is
b580e99ec29c68e3c56b5b1ad8a4ec1e2de865c0trawick# put inside a blacklist and accessed less often for future requests. The
b580e99ec29c68e3c56b5b1ad8a4ec1e2de865c0trawick# value (case-insensitive) for this policy can be:
b580e99ec29c68e3c56b5b1ad8a4ec1e2de865c0trawick#
b580e99ec29c68e3c56b5b1ad8a4ec1e2de865c0trawick# tryLast
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# KDCs in the blacklist are always tried after those not on the list.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# tryLess[:max_retries,timeout]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# KDCs in the blacklist are still tried by their order in the configuration,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# but with smaller max_retries and timeout values. max_retries and timeout
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# are optional numerical parameters (default 1 and 5000, which means once
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# and 5 seconds). Please notes that if any of the values defined here is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# more than what is defined in krb5.conf, it will be ignored.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Whenever a KDC is detected as available, it is removed from the blacklist.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# The blacklist is reset when krb5.conf is reloaded. You can add
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# reloaded whenever a JAAS authentication is attempted.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Example,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# krb5.kdc.bad.policy = tryLast
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# krb5.kdc.bad.policy = tryLess:2,2000
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingkrb5.kdc.bad.policy = tryLast
cfa64348224b66dd1c9979b809406c4d15b1c137fielding
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Algorithm restrictions for certification path (CertPath) processing
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# In some environments, certain algorithms or key lengths may be undesirable
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# for certification path building and validation. For example, "MD2" is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# generally no longer considered to be a secure hash algorithm. This section
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# describes the mechanism for disabling algorithms based on algorithm name
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# and/or key length. This includes algorithms used in certificates, as well
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# as revocation information such as CRLs and signed OCSP Responses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# The syntax of the disabled algorithm string is described as this Java
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# BNF-style:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# DisabledAlgorithms:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# " DisabledAlgorithm { , DisabledAlgorithm } "
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# DisabledAlgorithm:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# AlgorithmName [Constraint]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# AlgorithmName:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# (see below)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Constraint:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# KeySizeConstraint
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# KeySizeConstraint:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# keySize Operator DecimalInteger
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Operator:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# <= | < | == | != | >= | >
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# DecimalInteger:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# DecimalDigits
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# DecimalDigits:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# DecimalDigit {DecimalDigit}
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# DecimalDigit: one of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# 1 2 3 4 5 6 7 8 9 0
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# The "AlgorithmName" is the standard algorithm name of the disabled
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Documentation" for information about Standard Algorithm Names. Matching
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# is performed using a case-insensitive sub-element matching rule. (For
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# "ECDSA" for signatures.) If the assertion "AlgorithmName" is a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# sub-element of the certificate algorithm name, the algorithm will be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# rejected during certification path building and validation. For example,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# the assertion algorithm name "DSA" will disable all certificate algorithms
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# will not disable algorithms related to "ECDSA".
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# A "Constraint" provides further guidance for the algorithm being specified.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# The "KeySizeConstraint" requires a key of a valid size range if the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# key size specified in number of bits. For example, "RSA keySize <= 1024"
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# indicates that any RSA key with key size less than or equal to 1024 bits
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# that any RSA key with key size less than 1024 or greater than 2048 should
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# be disabled. Note that the "KeySizeConstraint" only makes sense to key
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# algorithms.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Note: This property is currently used by Oracle's PKIX implementation. It
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# is not guaranteed to be examined and used by other implementations.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Example:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingjdk.certpath.disabledAlgorithms=MD2
cfa64348224b66dd1c9979b809406c4d15b1c137fielding
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# (SSL/TLS) processing
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# In some environments, certain algorithms or key lengths may be undesirable
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# when using SSL/TLS. This section describes the mechanism for disabling
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# algorithms during SSL/TLS security parameters negotiation, including cipher
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# suites selection, peer authentication and key exchange mechanisms.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# For PKI-based peer authentication and key exchange mechanisms, this list
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# of disabled algorithms will also be checked during certification path
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# building and validation, including algorithms used in certificates, as
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# well as revocation information such as CRLs and signed OCSP Responses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# This is in addition to the jdk.certpath.disabledAlgorithms property above.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# See the specification of "jdk.certpath.disabledAlgorithms" for the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# syntax of the disabled algorithm string.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Note: This property is currently used by Oracle's JSSE implementation.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# It is not guaranteed to be examined and used by other implementations.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Example:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
cfa64348224b66dd1c9979b809406c4d15b1c137fielding
cfa64348224b66dd1c9979b809406c4d15b1c137fielding