java.security-windows revision 5870
96fc773162e93e5b85686ab152f11baf4498d868rbb#
6f06d481dafc90f1b553f1d2828bcea50a039854fielding# This is the "master security properties file".
8695c28e4d0bb9357f606045b37238d4f49ce8b6rbb#
8695c28e4d0bb9357f606045b37238d4f49ce8b6rbb# In this file, various security properties are set for use by
8695c28e4d0bb9357f606045b37238d4f49ce8b6rbb# java.security classes. This is where users can statically register
8695c28e4d0bb9357f606045b37238d4f49ce8b6rbb# Cryptography Package Providers ("providers" for short). The term
8695c28e4d0bb9357f606045b37238d4f49ce8b6rbb# "provider" refers to a package or set of packages that supply a
8695c28e4d0bb9357f606045b37238d4f49ce8b6rbb# concrete implementation of a subset of the cryptography aspects of
5f69f46ccdf50afd8f0a23f134746e6066185e89rbb# the Java Security API. A provider may, for example, implement one or
5f69f46ccdf50afd8f0a23f134746e6066185e89rbb# more digital signature algorithms or message digest algorithms.
5f69f46ccdf50afd8f0a23f134746e6066185e89rbb#
5f69f46ccdf50afd8f0a23f134746e6066185e89rbb# Each provider must implement a subclass of the Provider class.
5f69f46ccdf50afd8f0a23f134746e6066185e89rbb# To register a provider in this master security properties file,
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe# specify the Provider subclass name and priority in the format
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe#
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe# security.provider.<n>=<className>
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe#
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe# This declares a provider, and specifies its preference
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe# order n. The preference order is the order in which providers are
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe# searched for requested algorithms (when no specific provider is
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe# requested). The order is 1-based; 1 is the most preferred, followed
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe# by 2, and so on.
a1e0709c89175c34a3f72eb4a83d7ee1621a0884rbb#
a1e0709c89175c34a3f72eb4a83d7ee1621a0884rbb# <className> must specify the subclass of the Provider class whose
a1e0709c89175c34a3f72eb4a83d7ee1621a0884rbb# constructor sets the values of various properties that are required
a1e0709c89175c34a3f72eb4a83d7ee1621a0884rbb# for the Java Security API to look up the algorithms or other
4b13b6bcdcfae61d3c58cc2569757651f28f2bbfrbb# facilities implemented by the provider.
4b13b6bcdcfae61d3c58cc2569757651f28f2bbfrbb#
4b13b6bcdcfae61d3c58cc2569757651f28f2bbfrbb# There must be at least one provider specification in java.security.
34ea1d36f4e1c8d66338e691793017d105cc9c32rbb# There is a default provider that comes standard with the JDK. It
34ea1d36f4e1c8d66338e691793017d105cc9c32rbb# is called the "SUN" provider, and its Provider subclass
34ea1d36f4e1c8d66338e691793017d105cc9c32rbb# named Sun appears in the sun.security.provider package. Thus, the
34ea1d36f4e1c8d66338e691793017d105cc9c32rbb# "SUN" provider is registered via the following:
2c8f06bf370a44a3d0544ed5319355463c417132gregames#
2c8f06bf370a44a3d0544ed5319355463c417132gregames# security.provider.1=sun.security.provider.Sun
2c8f06bf370a44a3d0544ed5319355463c417132gregames#
db06e09891b001667974483058923b88c3258324rbb# (The number 1 is used for the default provider.)
db06e09891b001667974483058923b88c3258324rbb#
db06e09891b001667974483058923b88c3258324rbb# Note: Providers can be dynamically registered instead by calls to
db06e09891b001667974483058923b88c3258324rbb# either the addProvider or insertProviderAt method in the Security
db06e09891b001667974483058923b88c3258324rbb# class.
8ba9d5e9aaaa79dba0de13f5c1b6e725d98f1dc2fanf
8ba9d5e9aaaa79dba0de13f5c1b6e725d98f1dc2fanf#
8ba9d5e9aaaa79dba0de13f5c1b6e725d98f1dc2fanf# List of providers and their preference orders (see above):
8ba9d5e9aaaa79dba0de13f5c1b6e725d98f1dc2fanf#
26cf4d32b4ff8807a64b0cfa6865a7d6d171c68efanfsecurity.provider.1=sun.security.provider.Sun
26cf4d32b4ff8807a64b0cfa6865a7d6d171c68efanfsecurity.provider.2=sun.security.rsa.SunRsaSign
26cf4d32b4ff8807a64b0cfa6865a7d6d171c68efanfsecurity.provider.3=sun.security.ec.SunEC
06c107289de0a0888386e0bc08ef9fc60aacd8bctrawicksecurity.provider.4=com.sun.net.ssl.internal.ssl.Provider
06c107289de0a0888386e0bc08ef9fc60aacd8bctrawicksecurity.provider.5=com.sun.crypto.provider.SunJCE
06c107289de0a0888386e0bc08ef9fc60aacd8bctrawicksecurity.provider.6=sun.security.jgss.SunProvider
06c107289de0a0888386e0bc08ef9fc60aacd8bctrawicksecurity.provider.7=com.sun.security.sasl.Provider
f4ab6acec7b02518869ca649ce2d3ceeb92d282etrawicksecurity.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
f4ab6acec7b02518869ca649ce2d3ceeb92d282etrawicksecurity.provider.9=sun.security.smartcardio.SunPCSC
f4ab6acec7b02518869ca649ce2d3ceeb92d282etrawicksecurity.provider.10=sun.security.mscapi.SunMSCAPI
b0bd38b2226e5cfb86cce6ed1991723f4c9e4f68trawick
bf9902ea6090f94c9ee0aaddd80b419a184ffe55jim#
bf9902ea6090f94c9ee0aaddd80b419a184ffe55jim# Select the source of seed data for SecureRandom. By default an
bf9902ea6090f94c9ee0aaddd80b419a184ffe55jim# attempt is made to use the entropy gathering device specified by
bf9902ea6090f94c9ee0aaddd80b419a184ffe55jim# the securerandom.source property. If an exception occurs when
bf9902ea6090f94c9ee0aaddd80b419a184ffe55jim# accessing the URL then the traditional system/thread activity
bf9902ea6090f94c9ee0aaddd80b419a184ffe55jim# algorithm is used.
bf9902ea6090f94c9ee0aaddd80b419a184ffe55jim#
0b34df54ff22d0ca05eb8e9d7c9610138a878c83rbb# On Solaris and Linux systems, if file:/dev/urandom is specified and it
0b34df54ff22d0ca05eb8e9d7c9610138a878c83rbb# exists, a special SecureRandom implementation is activated by default.
0b34df54ff22d0ca05eb8e9d7c9610138a878c83rbb# This "NativePRNG" reads random bytes directly from /dev/urandom.
83047afdc49c183cdca6373dba6a0c6afa638f12gstein#
0b34df54ff22d0ca05eb8e9d7c9610138a878c83rbb# On Windows systems, the URLs file:/dev/random and file:/dev/urandom
c8cc46d12794845f39fa154224075a3bbe57a4c8ben# enables use of the Microsoft CryptoAPI seed functionality.
c8cc46d12794845f39fa154224075a3bbe57a4c8ben#
5dea9095cbfab622c65e5f2f806007aaa7d7761arbbsecurerandom.source=file:/dev/urandom
5dea9095cbfab622c65e5f2f806007aaa7d7761arbb#
5dea9095cbfab622c65e5f2f806007aaa7d7761arbb# The entropy gathering device is described as a URL and can also
5dea9095cbfab622c65e5f2f806007aaa7d7761arbb# be specified with the system property "java.security.egd". For example,
5dea9095cbfab622c65e5f2f806007aaa7d7761arbb# -Djava.security.egd=file:/dev/urandom
365c33fd9c0fc3ac27c0bd1d360a5a94980c576atrawick# Specifying this system property will override the securerandom.source
365c33fd9c0fc3ac27c0bd1d360a5a94980c576atrawick# setting.
365c33fd9c0fc3ac27c0bd1d360a5a94980c576atrawick
0ea568e49752d337d2b513cce07f2a6f4699d6eatrawick#
0ea568e49752d337d2b513cce07f2a6f4699d6eatrawick# Class to instantiate as the javax.security.auth.login.Configuration
0ea568e49752d337d2b513cce07f2a6f4699d6eatrawick# provider.
b7a0ad483b54711addc5f43f679189619a23c749ben#
b7a0ad483b54711addc5f43f679189619a23c749benlogin.configuration.provider=com.sun.security.auth.login.ConfigFile
328d02603f471fad56cc5588fc9e93f589593ad0rbb
328d02603f471fad56cc5588fc9e93f589593ad0rbb#
1c850e9f96375578e43e5f69ba7499a543b2a7bdtrawick# Default login configuration file
1c850e9f96375578e43e5f69ba7499a543b2a7bdtrawick#
1c850e9f96375578e43e5f69ba7499a543b2a7bdtrawick#login.config.url.1=file:${user.home}/.java.login.config
48a2f5e2c189669b025d462f44fda5d4b45e8d78trawick
48a2f5e2c189669b025d462f44fda5d4b45e8d78trawick#
48a2f5e2c189669b025d462f44fda5d4b45e8d78trawick# Class to instantiate as the system Policy. This is the name of the class
48a2f5e2c189669b025d462f44fda5d4b45e8d78trawick# that will be used as the Policy object.
48a2f5e2c189669b025d462f44fda5d4b45e8d78trawick#
48a2f5e2c189669b025d462f44fda5d4b45e8d78trawickpolicy.provider=sun.security.provider.PolicyFile
48a2f5e2c189669b025d462f44fda5d4b45e8d78trawick
b22fb75c37b70fbe176afdb8081c3ce2dba86db4rbb# The default is to have a single system-wide policy file,
b22fb75c37b70fbe176afdb8081c3ce2dba86db4rbb# and a policy file in the user's home directory.
b22fb75c37b70fbe176afdb8081c3ce2dba86db4rbbpolicy.url.1=file:${java.home}/lib/security/java.policy
b22fb75c37b70fbe176afdb8081c3ce2dba86db4rbbpolicy.url.2=file:${user.home}/.java.policy
b22fb75c37b70fbe176afdb8081c3ce2dba86db4rbb
8fccb89ed59d5c80c76a818f7ca02bb0d068d4d3rbb# whether or not we expand properties in the policy file
8fccb89ed59d5c80c76a818f7ca02bb0d068d4d3rbb# if this is set to false, properties (${...}) will not be expanded in policy
8fccb89ed59d5c80c76a818f7ca02bb0d068d4d3rbb# files.
8fccb89ed59d5c80c76a818f7ca02bb0d068d4d3rbbpolicy.expandProperties=true
8fccb89ed59d5c80c76a818f7ca02bb0d068d4d3rbb
da07a882b90b44243c9cd88ac09a789999dccc4drbb# whether or not we allow an extra policy to be passed on the command line
da07a882b90b44243c9cd88ac09a789999dccc4drbb# with -Djava.security.policy=somefile. Comment out this line to disable
da07a882b90b44243c9cd88ac09a789999dccc4drbb# this feature.
da07a882b90b44243c9cd88ac09a789999dccc4drbbpolicy.allowSystemProperty=true
da07a882b90b44243c9cd88ac09a789999dccc4drbb
4a5c8a77f48f0cf10bfe70479d0a2e8e7d6cd917rbb# whether or not we look into the IdentityScope for trusted Identities
4a5c8a77f48f0cf10bfe70479d0a2e8e7d6cd917rbb# when encountering a 1.1 signed JAR file. If the identity is found
4a5c8a77f48f0cf10bfe70479d0a2e8e7d6cd917rbb# and is trusted, we grant it AllPermission.
4a5c8a77f48f0cf10bfe70479d0a2e8e7d6cd917rbbpolicy.ignoreIdentityScope=false
4a5c8a77f48f0cf10bfe70479d0a2e8e7d6cd917rbb
4a5c8a77f48f0cf10bfe70479d0a2e8e7d6cd917rbb#
5bf029f8452b6aa105cf3d9d9b19221920725428rbb# Default keystore type.
5bf029f8452b6aa105cf3d9d9b19221920725428rbb#
5bf029f8452b6aa105cf3d9d9b19221920725428rbbkeystore.type=jks
60ed053fe71b1e3cfab8c4ed37afde30a6db4841rbb
60ed053fe71b1e3cfab8c4ed37afde30a6db4841rbb#
60ed053fe71b1e3cfab8c4ed37afde30a6db4841rbb# List of comma-separated packages that start with or equal this string
e03878add0099ba9741efc46d545955a60ea8bdcrbb# will cause a security exception to be thrown when
e03878add0099ba9741efc46d545955a60ea8bdcrbb# passed to checkPackageAccess unless the
e03878add0099ba9741efc46d545955a60ea8bdcrbb# corresponding RuntimePermission ("accessClassInPackage."+package) has
e03878add0099ba9741efc46d545955a60ea8bdcrbb# been granted.
1860b2b5f1de31f8cf9d95f1b394fe98c8dbfab7rbbpackage.access=sun.,\
1860b2b5f1de31f8cf9d95f1b394fe98c8dbfab7rbb com.sun.xml.internal.bind.,\
1860b2b5f1de31f8cf9d95f1b394fe98c8dbfab7rbb com.sun.xml.internal.org.jvnet.staxex.,\
9ec65cbae2f760e485a1c54df5b19853688d5c91wrowe com.sun.xml.internal.ws.,\
9ec65cbae2f760e485a1c54df5b19853688d5c91wrowe com.sun.imageio.,\
9ec65cbae2f760e485a1c54df5b19853688d5c91wrowe com.sun.istack.internal.,\
9ec65cbae2f760e485a1c54df5b19853688d5c91wrowe com.sun.jmx.,\
9ec65cbae2f760e485a1c54df5b19853688d5c91wrowe com.sun.proxy.,\
9ec65cbae2f760e485a1c54df5b19853688d5c91wrowe com.sun.org.apache.xerces.internal.utils.,\
9ec65cbae2f760e485a1c54df5b19853688d5c91wrowe com.sun.org.apache.xalan.internal.utils.,\
9ec65cbae2f760e485a1c54df5b19853688d5c91wrowe com.sun.org.glassfish.external.,\
a8c0c0b8d7dada680bd3f3d70f78ce0656ba5aa6trawick com.sun.org.glassfish.gmbal.,\
a8c0c0b8d7dada680bd3f3d70f78ce0656ba5aa6trawick oracle.jrockit.jfr.
a8c0c0b8d7dada680bd3f3d70f78ce0656ba5aa6trawick
a8c0c0b8d7dada680bd3f3d70f78ce0656ba5aa6trawick#
a8c0c0b8d7dada680bd3f3d70f78ce0656ba5aa6trawick# List of comma-separated packages that start with or equal this string
a8c0c0b8d7dada680bd3f3d70f78ce0656ba5aa6trawick# will cause a security exception to be thrown when
77c656dabf05adcdee0d30b15b4628be738a1913rbb# passed to checkPackageDefinition unless the
77c656dabf05adcdee0d30b15b4628be738a1913rbb# corresponding RuntimePermission ("defineClassInPackage."+package) has
77c656dabf05adcdee0d30b15b4628be738a1913rbb# been granted.
77c656dabf05adcdee0d30b15b4628be738a1913rbb#
77c656dabf05adcdee0d30b15b4628be738a1913rbb# by default, none of the class loaders supplied with the JDK call
7e73041858979fd162c849cc2e7447beb51eedf8rbb# checkPackageDefinition.
7e73041858979fd162c849cc2e7447beb51eedf8rbb#
886cd69ebf69e990dbc365be87ff8ea7cd681904rbbpackage.definition=sun.,\
886cd69ebf69e990dbc365be87ff8ea7cd681904rbb com.sun.xml.internal.bind.,\
886cd69ebf69e990dbc365be87ff8ea7cd681904rbb com.sun.xml.internal.org.jvnet.staxex.,\
a8c0c0b8d7dada680bd3f3d70f78ce0656ba5aa6trawick com.sun.xml.internal.ws.,\
886cd69ebf69e990dbc365be87ff8ea7cd681904rbb com.sun.imageio.,\
886cd69ebf69e990dbc365be87ff8ea7cd681904rbb com.sun.istack.internal.,\
886cd69ebf69e990dbc365be87ff8ea7cd681904rbb com.sun.jmx.,\
db9ac238bf63d7df2bebbaff4de1628a32151028trawick com.sun.proxy.,\
ce121a776564df6bb75498209094142d92404b8atrawick com.sun.org.apache.xerces.internal.utils.,\
ce121a776564df6bb75498209094142d92404b8atrawick com.sun.org.apache.xalan.internal.utils.,\
ce121a776564df6bb75498209094142d92404b8atrawick com.sun.org.glassfish.external.,\
e1ade9256c87684358786fcf7eef251bd4c1db10rbb com.sun.org.glassfish.gmbal.,\
e1ade9256c87684358786fcf7eef251bd4c1db10rbb oracle.jrockit.jfr.
e1ade9256c87684358786fcf7eef251bd4c1db10rbb
e1ade9256c87684358786fcf7eef251bd4c1db10rbb#
e1ade9256c87684358786fcf7eef251bd4c1db10rbb# Determines whether this properties file can be appended to
e1ade9256c87684358786fcf7eef251bd4c1db10rbb# or overridden on the command line via -Djava.security.properties
db9ac238bf63d7df2bebbaff4de1628a32151028trawick#
db9ac238bf63d7df2bebbaff4de1628a32151028trawicksecurity.overridePropertiesFile=true
db9ac238bf63d7df2bebbaff4de1628a32151028trawick
eae32ab3fb398ca408bc2d45b22adf1b67a75471rbb#
eae32ab3fb398ca408bc2d45b22adf1b67a75471rbb# Determines the default key and trust manager factory algorithms for
d1d25826dbd7d2ba97db90b77122ae2b0f363e89rbb# the javax.net.ssl package.
d1d25826dbd7d2ba97db90b77122ae2b0f363e89rbb#
d1d25826dbd7d2ba97db90b77122ae2b0f363e89rbbssl.KeyManagerFactory.algorithm=SunX509
42ec91fadb5532438ab4c02993b15c18a517967frbbssl.TrustManagerFactory.algorithm=PKIX
42ec91fadb5532438ab4c02993b15c18a517967frbb
42ec91fadb5532438ab4c02993b15c18a517967frbb#
42ec91fadb5532438ab4c02993b15c18a517967frbb# The Java-level namelookup cache policy for successful lookups:
42ec91fadb5532438ab4c02993b15c18a517967frbb#
96fc773162e93e5b85686ab152f11baf4498d868rbb# any negative value: caching forever
2975523a2901fc601ae9510082a7d4fb11bb9aecake# any positive value: the number of seconds to cache an address for
2975523a2901fc601ae9510082a7d4fb11bb9aecake# zero: do not cache
2975523a2901fc601ae9510082a7d4fb11bb9aecake#
5827adc4c40ff4b10db9b09cea43f4307c8fc319trawick# default value is forever (FOREVER). For security reasons, this
5827adc4c40ff4b10db9b09cea43f4307c8fc319trawick# caching is made forever when a security manager is set. When a security
5827adc4c40ff4b10db9b09cea43f4307c8fc319trawick# manager is not set, the default behavior in this implementation
5827adc4c40ff4b10db9b09cea43f4307c8fc319trawick# is to cache for 30 seconds.
5827adc4c40ff4b10db9b09cea43f4307c8fc319trawick#
5827adc4c40ff4b10db9b09cea43f4307c8fc319trawick# NOTE: setting this to anything other than the default value can have
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# serious security implications. Do not set it unless
e7270e4daeb3e62414b361ca2bf0e707d0ae3310wrowe# you are sure you are not exposed to DNS spoofing attack.
e7270e4daeb3e62414b361ca2bf0e707d0ae3310wrowe#
e7270e4daeb3e62414b361ca2bf0e707d0ae3310wrowe#networkaddress.cache.ttl=-1
e7270e4daeb3e62414b361ca2bf0e707d0ae3310wrowe
e7270e4daeb3e62414b361ca2bf0e707d0ae3310wrowe# The Java-level namelookup cache policy for failed lookups:
e7270e4daeb3e62414b361ca2bf0e707d0ae3310wrowe#
f6e9f5600e77b78fb013bb543d364135961639d1rbb# any negative value: cache forever
f6e9f5600e77b78fb013bb543d364135961639d1rbb# any positive value: the number of seconds to cache negative lookup results
f6e9f5600e77b78fb013bb543d364135961639d1rbb# zero: do not cache
f6e9f5600e77b78fb013bb543d364135961639d1rbb#
f6e9f5600e77b78fb013bb543d364135961639d1rbb# In some Microsoft Windows networking environments that employ
f6e9f5600e77b78fb013bb543d364135961639d1rbb# the WINS name service in addition to DNS, name service lookups
f6e9f5600e77b78fb013bb543d364135961639d1rbb# that fail may take a noticeably long time to return (approx. 5 seconds).
f6e9f5600e77b78fb013bb543d364135961639d1rbb# For this reason the default caching policy is to maintain these
f6e9f5600e77b78fb013bb543d364135961639d1rbb# results for 10 seconds.
f6e9f5600e77b78fb013bb543d364135961639d1rbb#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
b580e99ec29c68e3c56b5b1ad8a4ec1e2de865c0trawicknetworkaddress.cache.negative.ttl=10
b580e99ec29c68e3c56b5b1ad8a4ec1e2de865c0trawick
b580e99ec29c68e3c56b5b1ad8a4ec1e2de865c0trawick#
b580e99ec29c68e3c56b5b1ad8a4ec1e2de865c0trawick# Properties to configure OCSP for certificate revocation checking
b580e99ec29c68e3c56b5b1ad8a4ec1e2de865c0trawick#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Enable OCSP
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# By default, OCSP is not used for certificate revocation checking.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# This property enables the use of OCSP when set to the value "true".
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# NOTE: SocketPermission is required to connect to an OCSP responder.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Example,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# ocsp.enable=true
cfa64348224b66dd1c9979b809406c4d15b1c137fielding
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Location of the OCSP responder
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# By default, the location of the OCSP responder is determined implicitly
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# from the certificate being validated. This property explicitly specifies
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# the location of the OCSP responder. The property is used when the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Authority Information Access extension (defined in RFC 3280) is absent
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# from the certificate or when it requires overriding.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Example,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# ocsp.responderURL=http://ocsp.example.net:80
cfa64348224b66dd1c9979b809406c4d15b1c137fielding
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Subject name of the OCSP responder's certificate
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# By default, the certificate of the OCSP responder is that of the issuer
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# of the certificate being validated. This property identifies the certificate
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# of the OCSP responder when the default does not apply. Its value is a string
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# distinguished name (defined in RFC 2253) which identifies a certificate in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# the set of certificates supplied during cert path validation. In cases where
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# the subject name alone is not sufficient to uniquely identify the certificate
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# then both the "ocsp.responderCertIssuerName" and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# "ocsp.responderCertSerialNumber" properties must be used instead. When this
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# property is set then those two properties are ignored.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Example,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
cfa64348224b66dd1c9979b809406c4d15b1c137fielding
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Issuer name of the OCSP responder's certificate
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# By default, the certificate of the OCSP responder is that of the issuer
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# of the certificate being validated. This property identifies the certificate
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# of the OCSP responder when the default does not apply. Its value is a string
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# distinguished name (defined in RFC 2253) which identifies a certificate in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# the set of certificates supplied during cert path validation. When this
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# property is set then the "ocsp.responderCertSerialNumber" property must also
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# be set. When the "ocsp.responderCertSubjectName" property is set then this
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# property is ignored.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Example,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
cfa64348224b66dd1c9979b809406c4d15b1c137fielding
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Serial number of the OCSP responder's certificate
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# By default, the certificate of the OCSP responder is that of the issuer
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# of the certificate being validated. This property identifies the certificate
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# of the OCSP responder when the default does not apply. Its value is a string
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# of hexadecimal digits (colon or space separators may be present) which
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# identifies a certificate in the set of certificates supplied during cert path
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# validation. When this property is set then the "ocsp.responderCertIssuerName"
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# property must also be set. When the "ocsp.responderCertSubjectName" property
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# is set then this property is ignored.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Example,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# ocsp.responderCertSerialNumber=2A:FF:00
cfa64348224b66dd1c9979b809406c4d15b1c137fielding
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Policy for failed Kerberos KDC lookups:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# When a KDC is unavailable (network error, service failure, etc), it is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# put inside a blacklist and accessed less often for future requests. The
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# value (case-insensitive) for this policy can be:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# tryLast
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# KDCs in the blacklist are always tried after those not on the list.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# tryLess[:max_retries,timeout]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# KDCs in the blacklist are still tried by their order in the configuration,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# but with smaller max_retries and timeout values. max_retries and timeout
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# are optional numerical parameters (default 1 and 5000, which means once
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# and 5 seconds). Please notes that if any of the values defined here is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# more than what is defined in krb5.conf, it will be ignored.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Whenever a KDC is detected as available, it is removed from the blacklist.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# The blacklist is reset when krb5.conf is reloaded. You can add
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# reloaded whenever a JAAS authentication is attempted.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Example,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# krb5.kdc.bad.policy = tryLast
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# krb5.kdc.bad.policy = tryLess:2,2000
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingkrb5.kdc.bad.policy = tryLast
cfa64348224b66dd1c9979b809406c4d15b1c137fielding
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Algorithm restrictions for certification path (CertPath) processing
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# In some environments, certain algorithms or key lengths may be undesirable
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# for certification path building and validation. For example, "MD2" is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# generally no longer considered to be a secure hash algorithm. This section
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# describes the mechanism for disabling algorithms based on algorithm name
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# and/or key length. This includes algorithms used in certificates, as well
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# as revocation information such as CRLs and signed OCSP Responses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# The syntax of the disabled algorithm string is described as this Java
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# BNF-style:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# DisabledAlgorithms:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# " DisabledAlgorithm { , DisabledAlgorithm } "
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# DisabledAlgorithm:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# AlgorithmName [Constraint]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# AlgorithmName:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# (see below)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Constraint:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# KeySizeConstraint
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# KeySizeConstraint:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# keySize Operator DecimalInteger
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Operator:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# <= | < | == | != | >= | >
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# DecimalInteger:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# DecimalDigits
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# DecimalDigits:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# DecimalDigit {DecimalDigit}
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# DecimalDigit: one of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# 1 2 3 4 5 6 7 8 9 0
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# The "AlgorithmName" is the standard algorithm name of the disabled
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Documentation" for information about Standard Algorithm Names. Matching
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# is performed using a case-insensitive sub-element matching rule. (For
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# "ECDSA" for signatures.) If the assertion "AlgorithmName" is a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# sub-element of the certificate algorithm name, the algorithm will be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# rejected during certification path building and validation. For example,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# the assertion algorithm name "DSA" will disable all certificate algorithms
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# will not disable algorithms related to "ECDSA".
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# A "Constraint" provides further guidance for the algorithm being specified.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# The "KeySizeConstraint" requires a key of a valid size range if the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# key size specified in number of bits. For example, "RSA keySize <= 1024"
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# indicates that any RSA key with key size less than or equal to 1024 bits
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# that any RSA key with key size less than 1024 or greater than 2048 should
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# be disabled. Note that the "KeySizeConstraint" only makes sense to key
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# algorithms.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Note: This property is currently used by Oracle's PKIX implementation. It
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# is not guaranteed to be examined and used by other implementations.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Example:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingjdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
cfa64348224b66dd1c9979b809406c4d15b1c137fielding
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# (SSL/TLS) processing
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# In some environments, certain algorithms or key lengths may be undesirable
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# when using SSL/TLS. This section describes the mechanism for disabling
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# algorithms during SSL/TLS security parameters negotiation, including cipher
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# suites selection, peer authentication and key exchange mechanisms.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# For PKI-based peer authentication and key exchange mechanisms, this list
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# of disabled algorithms will also be checked during certification path
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# building and validation, including algorithms used in certificates, as
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# well as revocation information such as CRLs and signed OCSP Responses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# This is in addition to the jdk.certpath.disabledAlgorithms property above.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# See the specification of "jdk.certpath.disabledAlgorithms" for the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# syntax of the disabled algorithm string.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Note: This property is currently used by Oracle's JSSE implementation.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# It is not guaranteed to be examined and used by other implementations.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding#
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# Example:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
cfa64348224b66dd1c9979b809406c4d15b1c137fielding
cfa64348224b66dd1c9979b809406c4d15b1c137fielding