1 #
2 # This is the "master security properties file".
3 #
4 # In this file, various security properties are set for use by
5 # java.security classes. This is where users can statically register
6 # Cryptography Package Providers ("providers" for short). The term
7 # "provider" refers to a package or set of packages that supply a
8 # concrete implementation of a subset of the cryptography aspects of
9 # the Java Security API. A provider may, for example, implement one or
10 # more digital signature algorithms or message digest algorithms.
11 #
12 # Each provider must implement a subclass of the Provider class.
13 # To register a provider in this master security properties file,
14 # specify the Provider subclass name and priority in the format
15 #
16 # security.provider.<n>=<className>
17 #
18 # This declares a provider, and specifies its preference
19 # order n. The preference order is the order in which providers are
20 # searched for requested algorithms (when no specific provider is
21 # requested). The order is 1-based; 1 is the most preferred, followed
22 # by 2, and so on.
23 #
24 # <className> must specify the subclass of the Provider class whose
25 # constructor sets the values of various properties that are required
26 # for the Java Security API to look up the algorithms or other
27 # facilities implemented by the provider.
28 #
29 # There must be at least one provider specification in java.security.
30 # There is a default provider that comes standard with the JDK. It
31 # is called the "SUN" provider, and its Provider subclass
32 # named Sun appears in the sun.security.provider package. Thus, the
33 # "SUN" provider is registered via the following:
34 #
35 # security.provider.1=sun.security.provider.Sun
36 #
37 # (The number 1 is used for the default provider.)
38 #
39 # Note: Providers can be dynamically registered instead by calls to
40 # either the addProvider or insertProviderAt method in the Security
41 # class.
42
43 #
44 # List of providers and their preference orders (see above):
45 #
46 security.provider.1=sun.security.provider.Sun
47 security.provider.2=sun.security.rsa.SunRsaSign
48 security.provider.3=com.sun.net.ssl.internal.ssl.Provider
49 security.provider.4=com.sun.crypto.provider.SunJCE
50 security.provider.5=sun.security.jgss.SunProvider
51 security.provider.6=com.sun.security.sasl.Provider
52 security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
53 security.provider.8=sun.security.smartcardio.SunPCSC
54 security.provider.9=sun.security.mscapi.SunMSCAPI
55
56 #
57 # Select the source of seed data for SecureRandom. By default an
58 # attempt is made to use the entropy gathering device specified by
59 # the securerandom.source property. If an exception occurs when
60 # accessing the URL then the traditional system/thread activity
61 # algorithm is used.
62 #
63 # On Solaris and Linux systems, if file:/dev/urandom is specified and it
64 # exists, a special SecureRandom implementation is activated by default.
65 # This "NativePRNG" reads random bytes directly from /dev/urandom.
66 #
67 # On Windows systems, the URLs file:/dev/random and file:/dev/urandom
68 # enables use of the Microsoft CryptoAPI seed functionality.
69 #
70 securerandom.source=file:/dev/urandom
71 #
72 # The entropy gathering device is described as a URL and can also
73 # be specified with the system property "java.security.egd". For example,
74 # -Djava.security.egd=file:/dev/urandom
75 # Specifying this system property will override the securerandom.source
76 # setting.
77
78 #
79 # Class to instantiate as the javax.security.auth.login.Configuration
80 # provider.
81 #
82 login.configuration.provider=com.sun.security.auth.login.ConfigFile
83
84 #
85 # Default login configuration file
86 #
87 #login.config.url.1=file:${user.home}/.java.login.config
88
89 #
90 # Class to instantiate as the system Policy. This is the name of the class
91 # that will be used as the Policy object.
92 #
93 policy.provider=sun.security.provider.PolicyFile
94
95 # The default is to have a single system-wide policy file,
96 # and a policy file in the user's home directory.
97 policy.url.1=file:${java.home}/lib/security/java.policy
98 policy.url.2=file:${user.home}/.java.policy
99
100 # whether or not we expand properties in the policy file
101 # if this is set to false, properties (${...}) will not be expanded in policy
102 # files.
103 policy.expandProperties=true
104
105 # whether or not we allow an extra policy to be passed on the command line
106 # with -Djava.security.policy=somefile. Comment out this line to disable
107 # this feature.
108 policy.allowSystemProperty=true
109
110 # whether or not we look into the IdentityScope for trusted Identities
111 # when encountering a 1.1 signed JAR file. If the identity is found
112 # and is trusted, we grant it AllPermission.
113 policy.ignoreIdentityScope=false
114
115 #
116 # Default keystore type.
117 #
118 keystore.type=jks
119
120 #
121 # Class to instantiate as the system scope:
122 #
123 system.scope=sun.security.provider.IdentityDatabase
124
125 #
126 # List of comma-separated packages that start with or equal this string
127 # will cause a security exception to be thrown when
128 # passed to checkPackageAccess unless the
129 # corresponding RuntimePermission ("accessClassInPackage."+package) has
130 # been granted.
131 package.access=sun.,\
132 com.sun.xml.internal.,\
133 com.sun.imageio.,\
134 com.sun.istack.internal.,\
135 com.sun.jmx.,\
136 com.sun.proxy.,\
137 com.sun.corba.se.,\
138 com.sun.script.,\
139 com.sun.org.apache.bcel.internal.,\
140 com.sun.org.apache.regexp.internal.,\
141 com.sun.org.apache.xerces.internal.,\
142 com.sun.org.apache.xpath.internal.,\
143 com.sun.org.apache.xalan.internal.extensions.,\
144 com.sun.org.apache.xalan.internal.lib.,\
145 com.sun.org.apache.xalan.internal.res.,\
146 com.sun.org.apache.xalan.internal.templates.,\
147 com.sun.org.apache.xalan.internal.utils.\
148 com.sun.org.apache.xalan.internal.xslt.,\
149 com.sun.org.apache.xalan.internal.xsltc.cmdline.,\
150 com.sun.org.apache.xalan.internal.xsltc.compiler.,\
151 com.sun.org.apache.xalan.internal.xsltc.trax.,\
152 com.sun.org.apache.xalan.internal.xsltc.util.,\
153 com.sun.org.apache.xml.internal.res.,\
154 com.sun.org.apache.xml.internal.serializer.utils.,\
155 com.sun.org.apache.xml.internal.utils.,\
156 com.sun.org.apache.xml.internal.security.,\
157 com.sun.org.glassfish.,\
158 com.sun.naming.internal.,\
159 org.jcp.xml.dsig.internal.\
160 com.sun.java.accessibility.
161
162 #
163 # List of comma-separated packages that start with or equal this string
164 # will cause a security exception to be thrown when
165 # passed to checkPackageDefinition unless the
166 # corresponding RuntimePermission ("defineClassInPackage."+package) has
167 # been granted.
168 #
169 # by default, none of the class loaders supplied with the JDK call
170 # checkPackageDefinition.
171 #
172 package.definition=sun.,\
173 com.sun.xml.internal.,\
174 com.sun.imageio.,\
175 com.sun.istack.internal.,\
176 com.sun.jmx.,\
177 com.sun.proxy.,\
178 com.sun.corba.se.,\
179 com.sun.script.,\
180 com.sun.org.apache.bcel.internal.,\
181 com.sun.org.apache.regexp.internal.,\
182 com.sun.org.apache.xerces.internal.,\
183 com.sun.org.apache.xpath.internal.,\
184 com.sun.org.apache.xalan.internal.extensions.,\
185 com.sun.org.apache.xalan.internal.lib.,\
186 com.sun.org.apache.xalan.internal.res.,\
187 com.sun.org.apache.xalan.internal.templates.,\
188 com.sun.org.apache.xalan.internal.xslt.,\
189 com.sun.org.apache.xalan.internal.xsltc.cmdline.,\
190 com.sun.org.apache.xalan.internal.xsltc.compiler.,\
191 com.sun.org.apache.xalan.internal.xsltc.trax.,\
192 com.sun.org.apache.xalan.internal.xsltc.util.,\
193 com.sun.org.apache.xml.internal.res.,\
194 com.sun.org.apache.xml.internal.serializer.utils.,\
195 com.sun.org.apache.xml.internal.utils.,\
196 com.sun.org.apache.xml.internal.security.,\
197 com.sun.org.glassfish.,\
198 com.sun.naming.internal.,\
199 org.jcp.xml.dsig.internal.\
200 com.sun.java.accessibility.
201
202 #
203 # Determines whether this properties file can be appended to
204 # or overridden on the command line via -Djava.security.properties
205 #
206 security.overridePropertiesFile=true
207
208 #
209 # Determines the default key and trust manager factory algorithms for
210 # the javax.net.ssl package.
211 #
212 ssl.KeyManagerFactory.algorithm=SunX509
213 ssl.TrustManagerFactory.algorithm=PKIX
214
215 #
216 # The Java-level namelookup cache policy for successful lookups:
217 #
218 # any negative value: caching forever
219 # any positive value: the number of seconds to cache an address for
220 # zero: do not cache
221 #
222 # default value is forever (FOREVER). For security reasons, this
223 # caching is made forever when a security manager is set. When a security
224 # manager is not set, the default behavior in this implementation
225 # is to cache for 30 seconds.
226 #
227 # NOTE: setting this to anything other than the default value can have
228 # serious security implications. Do not set it unless
229 # you are sure you are not exposed to DNS spoofing attack.
230 #
231 #networkaddress.cache.ttl=-1
232
233 # The Java-level namelookup cache policy for failed lookups:
234 #
235 # any negative value: cache forever
236 # any positive value: the number of seconds to cache negative lookup results
237 # zero: do not cache
238 #
239 # In some Microsoft Windows networking environments that employ
240 # the WINS name service in addition to DNS, name service lookups
241 # that fail may take a noticeably long time to return (approx. 5 seconds).
242 # For this reason the default caching policy is to maintain these
243 # results for 10 seconds.
244 #
245 #
246 networkaddress.cache.negative.ttl=10
247
248 #
249 # Properties to configure OCSP for certificate revocation checking
250 #
251
252 # Enable OCSP
253 #
254 # By default, OCSP is not used for certificate revocation checking.
255 # This property enables the use of OCSP when set to the value "true".
256 #
257 # NOTE: SocketPermission is required to connect to an OCSP responder.
258 #
259 # Example,
260 # ocsp.enable=true
261
262 #
263 # Location of the OCSP responder
264 #
265 # By default, the location of the OCSP responder is determined implicitly
266 # from the certificate being validated. This property explicitly specifies
267 # the location of the OCSP responder. The property is used when the
268 # Authority Information Access extension (defined in RFC 3280) is absent
269 # from the certificate or when it requires overriding.
270 #
271 # Example,
272 # ocsp.responderURL=http://ocsp.example.net:80
273
274 #
275 # Subject name of the OCSP responder's certificate
276 #
277 # By default, the certificate of the OCSP responder is that of the issuer
278 # of the certificate being validated. This property identifies the certificate
279 # of the OCSP responder when the default does not apply. Its value is a string
280 # distinguished name (defined in RFC 2253) which identifies a certificate in
281 # the set of certificates supplied during cert path validation. In cases where
282 # the subject name alone is not sufficient to uniquely identify the certificate
283 # then both the "ocsp.responderCertIssuerName" and
284 # "ocsp.responderCertSerialNumber" properties must be used instead. When this
285 # property is set then those two properties are ignored.
286 #
287 # Example,
288 # ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
289
290 #
291 # Default ephemeral port ranges (operating system specific)
292 # used by java.net.SocketPermission to interpret the meaning of the special
293 # port value zero, as in the following example:
294 #
295 # SocketPermission("localhost:0" , "listen");
296 #
297 # These can be overridden by the system properties:
298 #
299 # jdk.net.ephemeralPortRange.low and
300 # jdk.net.ephemeralPortRange.high
301 #
302 # respectively.
303 #
304 network.ephemeralPortRange.low=49152
305 network.ephemeralPortRange.high=65535
306 #
307 # Issuer name of the OCSP responder's certificate
308 #
309 # By default, the certificate of the OCSP responder is that of the issuer
310 # of the certificate being validated. This property identifies the certificate
311 # of the OCSP responder when the default does not apply. Its value is a string
312 # distinguished name (defined in RFC 2253) which identifies a certificate in
313 # the set of certificates supplied during cert path validation. When this
314 # property is set then the "ocsp.responderCertSerialNumber" property must also
315 # be set. When the "ocsp.responderCertSubjectName" property is set then this
316 # property is ignored.
317 #
318 # Example,
319 # ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
320
321 #
322 # Serial number of the OCSP responder's certificate
323 #
324 # By default, the certificate of the OCSP responder is that of the issuer
325 # of the certificate being validated. This property identifies the certificate
326 # of the OCSP responder when the default does not apply. Its value is a string
327 # of hexadecimal digits (colon or space separators may be present) which
328 # identifies a certificate in the set of certificates supplied during cert path
329 # validation. When this property is set then the "ocsp.responderCertIssuerName"
330 # property must also be set. When the "ocsp.responderCertSubjectName" property
331 # is set then this property is ignored.
332 #
333 # Example,
334 # ocsp.responderCertSerialNumber=2A:FF:00
335
336 # Algorithm restrictions for certification path (CertPath) processing
337 #
338 # In some environments, certain algorithms or key lengths may be undesirable
339 # for certification path building and validation. For example, "MD2" is
340 # generally no longer considered to be a secure hash algorithm. This section
341 # describes the mechanism for disabling algorithms based on algorithm name
342 # and/or key length. This includes algorithms used in certificates, as well
343 # as revocation information such as CRLs and signed OCSP Responses.
344 #
345 # The syntax of the disabled algorithm string is described as this Java
346 # BNF-style:
347 # DisabledAlgorithms:
348 # " DisabledAlgorithm { , DisabledAlgorithm } "
349 #
350 # DisabledAlgorithm:
351 # AlgorithmName [Constraint]
352 #
353 # AlgorithmName:
354 # (see below)
355 #
356 # Constraint:
357 # KeySizeConstraint
358 #
359 # KeySizeConstraint:
360 # keySize Operator DecimalInteger
361 #
362 # Operator:
363 # <= | < | == | != | >= | >
364 #
365 # DecimalInteger:
366 # DecimalDigits
367 #
368 # DecimalDigits:
369 # DecimalDigit {DecimalDigit}
370 #
371 # DecimalDigit: one of
372 # 1 2 3 4 5 6 7 8 9 0
373 #
374 # The "AlgorithmName" is the standard algorithm name of the disabled
375 # algorithm. See "Java Cryptography Architecture Standard Algorithm Name
376 # Documentation" for information about Standard Algorithm Names. Matching
377 # is performed using a case-insensitive sub-element matching rule. (For
378 # example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
379 # "ECDSA" for signatures.) If the assertion "AlgorithmName" is a
380 # sub-element of the certificate algorithm name, the algorithm will be
381 # rejected during certification path building and validation. For example,
382 # the assertion algorithm name "DSA" will disable all certificate algorithms
383 # that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
384 # will not disable algorithms related to "ECDSA".
385 #
386 # A "Constraint" provides further guidance for the algorithm being specified.
387 # The "KeySizeConstraint" requires a key of a valid size range if the
388 # "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
389 # key size specified in number of bits. For example, "RSA keySize <= 1024"
390 # indicates that any RSA key with key size less than or equal to 1024 bits
391 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
392 # that any RSA key with key size less than 1024 or greater than 2048 should
393 # be disabled. Note that the "KeySizeConstraint" only makes sense to key
394 # algorithms.
395 #
396 # Note: This property is currently used by Oracle's PKIX implementation. It
397 # is not guaranteed to be examined and used by other implementations.
398 #
399 # Example:
400 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
401 #
402 #
403 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
404
405 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
406 # (SSL/TLS) processing
407 #
408 # In some environments, certain algorithms or key lengths may be undesirable
409 # when using SSL/TLS. This section describes the mechanism for disabling
410 # algorithms during SSL/TLS security parameters negotiation, including
411 # protocol version negotiation, cipher suites selection, peer authentication
412 # and key exchange mechanisms.
413 #
414 # Disabled algorithms will not be negotiated for SSL/TLS connections, even
415 # if they are enabled explicitly in an application.
416 #
417 # For PKI-based peer authentication and key exchange mechanisms, this list
418 # of disabled algorithms will also be checked during certification path
419 # building and validation, including algorithms used in certificates, as
420 # well as revocation information such as CRLs and signed OCSP Responses.
421 # This is in addition to the jdk.certpath.disabledAlgorithms property above.
422 #
423 # See the specification of "jdk.certpath.disabledAlgorithms" for the
424 # syntax of the disabled algorithm string.
425 #
426 # Note: This property is currently used by Oracle's JSSE implementation.
427 # It is not guaranteed to be examined and used by other implementations.
428 #
429 # Example:
430 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
431 jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768
432
433 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
434 # processing in JSSE implementation.
435 #
436 # In some environments, a certain algorithm may be undesirable but it
437 # cannot be disabled because of its use in legacy applications. Legacy
438 # algorithms may still be supported, but applications should not use them
439 # as the security strength of legacy algorithms are usually not strong enough
440 # in practice.
441 #
442 # During SSL/TLS security parameters negotiation, legacy algorithms will
443 # not be negotiated unless there are no other candidates.
444 #
445 # The syntax of the disabled algorithm string is described as this Java
446 # BNF-style:
447 # LegacyAlgorithms:
448 # " LegacyAlgorithm { , LegacyAlgorithm } "
449 #
450 # LegacyAlgorithm:
451 # AlgorithmName (standard JSSE algorithm name)
452 #
453 # See the specification of security property "jdk.certpath.disabledAlgorithms"
454 # for the syntax and description of the "AlgorithmName" notation.
455 #
456 # Per SSL/TLS specifications, cipher suites have the form:
457 # SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg
458 # or
459 # TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg
460 #
461 # For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the
462 # key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC
463 # mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest
464 # algorithm for HMAC.
465 #
466 # The LegacyAlgorithm can be one of the following standard algorithm names:
467 # 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
468 # 2. JSSE key exchange algorithm name, e.g., RSA
469 # 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
470 # 4. JSSE message digest algorithm name, e.g., SHA
471 #
472 # See SSL/TLS specifications and "Java Cryptography Architecture Standard
473 # Algorithm Name Documentation" for information about the algorithm names.
474 #
475 # Note: This property is currently used by Oracle's JSSE implementation.
476 # It is not guaranteed to be examined and used by other implementations.
477 # There is no guarantee the property will continue to exist or be of the
478 # same syntax in future releases.
479 #
480 # Example:
481 # jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
482 #
483 jdk.tls.legacyAlgorithms= \
484 K_NULL, C_NULL, M_NULL, \
485 DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
486 DH_RSA_EXPORT, RSA_EXPORT, \
487 DH_anon, ECDH_anon, \
488 RC4_128, RC4_40, DES_CBC, DES40_CBC
489
490 # The pre-defined default finite field Diffie-Hellman ephemeral (DHE)
491 # parameters for Transport Layer Security (SSL/TLS/DTLS) processing.
492 #
493 # In traditional SSL/TLS/DTLS connections where finite field DHE parameters
494 # negotiation mechanism is not used, the server offers the client group
495 # parameters, base generator g and prime modulus p, for DHE key exchange.
496 # It is recommended to use dynamic group parameters. This property defines
497 # a mechanism that allows you to specify custom group parameters.
498 #
499 # The syntax of this property string is described as this Java BNF-style:
500 # DefaultDHEParameters:
501 # DefinedDHEParameters { , DefinedDHEParameters }
502 #
503 # DefinedDHEParameters:
504 # "{" DHEPrimeModulus , DHEBaseGenerator "}"
505 #
506 # DHEPrimeModulus:
507 # HexadecimalDigits
508 #
509 # DHEBaseGenerator:
510 # HexadecimalDigits
511 #
512 # HexadecimalDigits:
513 # HexadecimalDigit { HexadecimalDigit }
514 #
515 # HexadecimalDigit: one of
516 # 0 1 2 3 4 5 6 7 8 9 A B C D E F a b c d e f
517 #
518 # Whitespace characters are ignored.
519 #
520 # The "DefinedDHEParameters" defines the custom group parameters, prime
521 # modulus p and base generator g, for a particular size of prime modulus p.
522 # The "DHEPrimeModulus" defines the hexadecimal prime modulus p, and the
523 # "DHEBaseGenerator" defines the hexadecimal base generator g of a group
524 # parameter. It is recommended to use safe primes for the custom group
525 # parameters.
526 #
527 # If this property is not defined or the value is empty, the underlying JSSE
528 # provider's default group parameter is used for each connection.
529 #
530 # If the property value does not follow the grammar, or a particular group
531 # parameter is not valid, the connection will fall back and use the
532 # underlying JSSE provider's default group parameter.
533 #
534 # Note: This property is currently used by OpenJDK's JSSE implementation. It
535 # is not guaranteed to be examined and used by other implementations.
536 #
537 # Example:
538 # jdk.tls.server.defaultDHEParameters=
539 # { \
540 # FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \
541 # 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \
542 # EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \
543 # E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
544 # EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
545 # FFFFFFFF FFFFFFFF, 2}