1 # 2 # This is the "master security properties file". 3 # 4 # In this file, various security properties are set for use by 5 # java.security classes. This is where users can statically register 6 # Cryptography Package Providers ("providers" for short). The term 7 # "provider" refers to a package or set of packages that supply a 8 # concrete implementation of a subset of the cryptography aspects of 9 # the Java Security API. A provider may, for example, implement one or 10 # more digital signature algorithms or message digest algorithms. 11 # 12 # Each provider must implement a subclass of the Provider class. 13 # To register a provider in this master security properties file, 14 # specify the Provider subclass name and priority in the format 15 # 16 # security.provider.<n>=<className> 17 # 18 # This declares a provider, and specifies its preference 19 # order n. The preference order is the order in which providers are 20 # searched for requested algorithms (when no specific provider is 21 # requested). The order is 1-based; 1 is the most preferred, followed 22 # by 2, and so on. 23 # 24 # <className> must specify the subclass of the Provider class whose 25 # constructor sets the values of various properties that are required 26 # for the Java Security API to look up the algorithms or other 27 # facilities implemented by the provider. 28 # 29 # There must be at least one provider specification in java.security. 30 # There is a default provider that comes standard with the JDK. It 31 # is called the "SUN" provider, and its Provider subclass 32 # named Sun appears in the sun.security.provider package. Thus, the 33 # "SUN" provider is registered via the following: 34 # 35 # security.provider.1=sun.security.provider.Sun 36 # 37 # (The number 1 is used for the default provider.) 38 # 39 # Note: Providers can be dynamically registered instead by calls to 40 # either the addProvider or insertProviderAt method in the Security 41 # class. 42 43 # 44 # List of providers and their preference orders (see above): 45 # 46 security.provider.1=sun.security.provider.Sun 47 security.provider.2=sun.security.rsa.SunRsaSign 48 security.provider.3=com.sun.net.ssl.internal.ssl.Provider 49 security.provider.4=com.sun.crypto.provider.SunJCE 50 security.provider.5=sun.security.jgss.SunProvider 51 security.provider.6=com.sun.security.sasl.Provider 52 security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI 53 security.provider.8=sun.security.smartcardio.SunPCSC 54 security.provider.9=sun.security.mscapi.SunMSCAPI 55 56 # 57 # Select the source of seed data for SecureRandom. By default an 58 # attempt is made to use the entropy gathering device specified by 59 # the securerandom.source property. If an exception occurs when 60 # accessing the URL then the traditional system/thread activity 61 # algorithm is used. 62 # 63 # On Solaris and Linux systems, if file:/dev/urandom is specified and it 64 # exists, a special SecureRandom implementation is activated by default. 65 # This "NativePRNG" reads random bytes directly from /dev/urandom. 66 # 67 # On Windows systems, the URLs file:/dev/random and file:/dev/urandom 68 # enables use of the Microsoft CryptoAPI seed functionality. 69 # 70 securerandom.source=file:/dev/urandom 71 # 72 # The entropy gathering device is described as a URL and can also 73 # be specified with the system property "java.security.egd". For example, 74 # -Djava.security.egd=file:/dev/urandom 75 # Specifying this system property will override the securerandom.source 76 # setting. 77 78 # 79 # Class to instantiate as the javax.security.auth.login.Configuration 80 # provider. 81 # 82 login.configuration.provider=com.sun.security.auth.login.ConfigFile 83 84 # 85 # Default login configuration file 86 # 87 #login.config.url.1=file:${user.home}/.java.login.config 88 89 # 90 # Class to instantiate as the system Policy. This is the name of the class 91 # that will be used as the Policy object. 92 # 93 policy.provider=sun.security.provider.PolicyFile 94 95 # The default is to have a single system-wide policy file, 96 # and a policy file in the user's home directory. 97 policy.url.1=file:${java.home}/lib/security/java.policy 98 policy.url.2=file:${user.home}/.java.policy 99 100 # whether or not we expand properties in the policy file 101 # if this is set to false, properties (${...}) will not be expanded in policy 102 # files. 103 policy.expandProperties=true 104 105 # whether or not we allow an extra policy to be passed on the command line 106 # with -Djava.security.policy=somefile. Comment out this line to disable 107 # this feature. 108 policy.allowSystemProperty=true 109 110 # whether or not we look into the IdentityScope for trusted Identities 111 # when encountering a 1.1 signed JAR file. If the identity is found 112 # and is trusted, we grant it AllPermission. 113 policy.ignoreIdentityScope=false 114 115 # 116 # Default keystore type. 117 # 118 keystore.type=jks 119 120 # 121 # Class to instantiate as the system scope: 122 # 123 system.scope=sun.security.provider.IdentityDatabase 124 125 # 126 # List of comma-separated packages that start with or equal this string 127 # will cause a security exception to be thrown when 128 # passed to checkPackageAccess unless the 129 # corresponding RuntimePermission ("accessClassInPackage."+package) has 130 # been granted. 131 package.access=sun.,\ 132 com.sun.xml.internal.,\ 133 com.sun.imageio.,\ 134 com.sun.istack.internal.,\ 135 com.sun.jmx.,\ 136 com.sun.proxy.,\ 137 com.sun.corba.se.,\ 138 com.sun.script.,\ 139 com.sun.org.apache.bcel.internal.,\ 140 com.sun.org.apache.regexp.internal.,\ 141 com.sun.org.apache.xerces.internal.,\ 142 com.sun.org.apache.xpath.internal.,\ 143 com.sun.org.apache.xalan.internal.extensions.,\ 144 com.sun.org.apache.xalan.internal.lib.,\ 145 com.sun.org.apache.xalan.internal.res.,\ 146 com.sun.org.apache.xalan.internal.templates.,\ 147 com.sun.org.apache.xalan.internal.utils.\ 148 com.sun.org.apache.xalan.internal.xslt.,\ 149 com.sun.org.apache.xalan.internal.xsltc.cmdline.,\ 150 com.sun.org.apache.xalan.internal.xsltc.compiler.,\ 151 com.sun.org.apache.xalan.internal.xsltc.trax.,\ 152 com.sun.org.apache.xalan.internal.xsltc.util.,\ 153 com.sun.org.apache.xml.internal.res.,\ 154 com.sun.org.apache.xml.internal.serializer.utils.,\ 155 com.sun.org.apache.xml.internal.utils.,\ 156 com.sun.org.apache.xml.internal.security.,\ 157 com.sun.org.glassfish.,\ 158 com.sun.naming.internal.,\ 159 org.jcp.xml.dsig.internal.\ 160 com.sun.java.accessibility. 161 162 # 163 # List of comma-separated packages that start with or equal this string 164 # will cause a security exception to be thrown when 165 # passed to checkPackageDefinition unless the 166 # corresponding RuntimePermission ("defineClassInPackage."+package) has 167 # been granted. 168 # 169 # by default, none of the class loaders supplied with the JDK call 170 # checkPackageDefinition. 171 # 172 package.definition=sun.,\ 173 com.sun.xml.internal.,\ 174 com.sun.imageio.,\ 175 com.sun.istack.internal.,\ 176 com.sun.jmx.,\ 177 com.sun.proxy.,\ 178 com.sun.corba.se.,\ 179 com.sun.script.,\ 180 com.sun.org.apache.bcel.internal.,\ 181 com.sun.org.apache.regexp.internal.,\ 182 com.sun.org.apache.xerces.internal.,\ 183 com.sun.org.apache.xpath.internal.,\ 184 com.sun.org.apache.xalan.internal.extensions.,\ 185 com.sun.org.apache.xalan.internal.lib.,\ 186 com.sun.org.apache.xalan.internal.res.,\ 187 com.sun.org.apache.xalan.internal.templates.,\ 188 com.sun.org.apache.xalan.internal.xslt.,\ 189 com.sun.org.apache.xalan.internal.xsltc.cmdline.,\ 190 com.sun.org.apache.xalan.internal.xsltc.compiler.,\ 191 com.sun.org.apache.xalan.internal.xsltc.trax.,\ 192 com.sun.org.apache.xalan.internal.xsltc.util.,\ 193 com.sun.org.apache.xml.internal.res.,\ 194 com.sun.org.apache.xml.internal.serializer.utils.,\ 195 com.sun.org.apache.xml.internal.utils.,\ 196 com.sun.org.apache.xml.internal.security.,\ 197 com.sun.org.glassfish.,\ 198 com.sun.naming.internal.,\ 199 org.jcp.xml.dsig.internal.\ 200 com.sun.java.accessibility. 201 202 # 203 # Determines whether this properties file can be appended to 204 # or overridden on the command line via -Djava.security.properties 205 # 206 security.overridePropertiesFile=true 207 208 # 209 # Determines the default key and trust manager factory algorithms for 210 # the javax.net.ssl package. 211 # 212 ssl.KeyManagerFactory.algorithm=SunX509 213 ssl.TrustManagerFactory.algorithm=PKIX 214 215 # 216 # The Java-level namelookup cache policy for successful lookups: 217 # 218 # any negative value: caching forever 219 # any positive value: the number of seconds to cache an address for 220 # zero: do not cache 221 # 222 # default value is forever (FOREVER). For security reasons, this 223 # caching is made forever when a security manager is set. When a security 224 # manager is not set, the default behavior in this implementation 225 # is to cache for 30 seconds. 226 # 227 # NOTE: setting this to anything other than the default value can have 228 # serious security implications. Do not set it unless 229 # you are sure you are not exposed to DNS spoofing attack. 230 # 231 #networkaddress.cache.ttl=-1 232 233 # The Java-level namelookup cache policy for failed lookups: 234 # 235 # any negative value: cache forever 236 # any positive value: the number of seconds to cache negative lookup results 237 # zero: do not cache 238 # 239 # In some Microsoft Windows networking environments that employ 240 # the WINS name service in addition to DNS, name service lookups 241 # that fail may take a noticeably long time to return (approx. 5 seconds). 242 # For this reason the default caching policy is to maintain these 243 # results for 10 seconds. 244 # 245 # 246 networkaddress.cache.negative.ttl=10 247 248 # 249 # Properties to configure OCSP for certificate revocation checking 250 # 251 252 # Enable OCSP 253 # 254 # By default, OCSP is not used for certificate revocation checking. 255 # This property enables the use of OCSP when set to the value "true". 256 # 257 # NOTE: SocketPermission is required to connect to an OCSP responder. 258 # 259 # Example, 260 # ocsp.enable=true 261 262 # 263 # Location of the OCSP responder 264 # 265 # By default, the location of the OCSP responder is determined implicitly 266 # from the certificate being validated. This property explicitly specifies 267 # the location of the OCSP responder. The property is used when the 268 # Authority Information Access extension (defined in RFC 3280) is absent 269 # from the certificate or when it requires overriding. 270 # 271 # Example, 272 # ocsp.responderURL=http://ocsp.example.net:80 273 274 # 275 # Subject name of the OCSP responder's certificate 276 # 277 # By default, the certificate of the OCSP responder is that of the issuer 278 # of the certificate being validated. This property identifies the certificate 279 # of the OCSP responder when the default does not apply. Its value is a string 280 # distinguished name (defined in RFC 2253) which identifies a certificate in 281 # the set of certificates supplied during cert path validation. In cases where 282 # the subject name alone is not sufficient to uniquely identify the certificate 283 # then both the "ocsp.responderCertIssuerName" and 284 # "ocsp.responderCertSerialNumber" properties must be used instead. When this 285 # property is set then those two properties are ignored. 286 # 287 # Example, 288 # ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp" 289 290 # 291 # Default ephemeral port ranges (operating system specific) 292 # used by java.net.SocketPermission to interpret the meaning of the special 293 # port value zero, as in the following example: 294 # 295 # SocketPermission("localhost:0" , "listen"); 296 # 297 # These can be overridden by the system properties: 298 # 299 # jdk.net.ephemeralPortRange.low and 300 # jdk.net.ephemeralPortRange.high 301 # 302 # respectively. 303 # 304 network.ephemeralPortRange.low=49152 305 network.ephemeralPortRange.high=65535 306 # 307 # Issuer name of the OCSP responder's certificate 308 # 309 # By default, the certificate of the OCSP responder is that of the issuer 310 # of the certificate being validated. This property identifies the certificate 311 # of the OCSP responder when the default does not apply. Its value is a string 312 # distinguished name (defined in RFC 2253) which identifies a certificate in 313 # the set of certificates supplied during cert path validation. When this 314 # property is set then the "ocsp.responderCertSerialNumber" property must also 315 # be set. When the "ocsp.responderCertSubjectName" property is set then this 316 # property is ignored. 317 # 318 # Example, 319 # ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp" 320 321 # 322 # Serial number of the OCSP responder's certificate 323 # 324 # By default, the certificate of the OCSP responder is that of the issuer 325 # of the certificate being validated. This property identifies the certificate 326 # of the OCSP responder when the default does not apply. Its value is a string 327 # of hexadecimal digits (colon or space separators may be present) which 328 # identifies a certificate in the set of certificates supplied during cert path 329 # validation. When this property is set then the "ocsp.responderCertIssuerName" 330 # property must also be set. When the "ocsp.responderCertSubjectName" property 331 # is set then this property is ignored. 332 # 333 # Example, 334 # ocsp.responderCertSerialNumber=2A:FF:00 335 336 # Algorithm restrictions for certification path (CertPath) processing 337 # 338 # In some environments, certain algorithms or key lengths may be undesirable 339 # for certification path building and validation. For example, "MD2" is 340 # generally no longer considered to be a secure hash algorithm. This section 341 # describes the mechanism for disabling algorithms based on algorithm name 342 # and/or key length. This includes algorithms used in certificates, as well 343 # as revocation information such as CRLs and signed OCSP Responses. 344 # 345 # The syntax of the disabled algorithm string is described as this Java 346 # BNF-style: 347 # DisabledAlgorithms: 348 # " DisabledAlgorithm { , DisabledAlgorithm } " 349 # 350 # DisabledAlgorithm: 351 # AlgorithmName [Constraint] 352 # 353 # AlgorithmName: 354 # (see below) 355 # 356 # Constraint: 357 # KeySizeConstraint 358 # 359 # KeySizeConstraint: 360 # keySize Operator DecimalInteger 361 # 362 # Operator: 363 # <= | < | == | != | >= | > 364 # 365 # DecimalInteger: 366 # DecimalDigits 367 # 368 # DecimalDigits: 369 # DecimalDigit {DecimalDigit} 370 # 371 # DecimalDigit: one of 372 # 1 2 3 4 5 6 7 8 9 0 373 # 374 # The "AlgorithmName" is the standard algorithm name of the disabled 375 # algorithm. See "Java Cryptography Architecture Standard Algorithm Name 376 # Documentation" for information about Standard Algorithm Names. Matching 377 # is performed using a case-insensitive sub-element matching rule. (For 378 # example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and 379 # "ECDSA" for signatures.) If the assertion "AlgorithmName" is a 380 # sub-element of the certificate algorithm name, the algorithm will be 381 # rejected during certification path building and validation. For example, 382 # the assertion algorithm name "DSA" will disable all certificate algorithms 383 # that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion 384 # will not disable algorithms related to "ECDSA". 385 # 386 # A "Constraint" provides further guidance for the algorithm being specified. 387 # The "KeySizeConstraint" requires a key of a valid size range if the 388 # "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the 389 # key size specified in number of bits. For example, "RSA keySize <= 1024" 390 # indicates that any RSA key with key size less than or equal to 1024 bits 391 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates 392 # that any RSA key with key size less than 1024 or greater than 2048 should 393 # be disabled. Note that the "KeySizeConstraint" only makes sense to key 394 # algorithms. 395 # 396 # Note: This property is currently used by Oracle's PKIX implementation. It 397 # is not guaranteed to be examined and used by other implementations. 398 # 399 # Example: 400 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 401 # 402 # 403 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 404 405 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security 406 # (SSL/TLS) processing 407 # 408 # In some environments, certain algorithms or key lengths may be undesirable 409 # when using SSL/TLS. This section describes the mechanism for disabling 410 # algorithms during SSL/TLS security parameters negotiation, including 411 # protocol version negotiation, cipher suites selection, peer authentication 412 # and key exchange mechanisms. 413 # 414 # Disabled algorithms will not be negotiated for SSL/TLS connections, even 415 # if they are enabled explicitly in an application. 416 # 417 # For PKI-based peer authentication and key exchange mechanisms, this list 418 # of disabled algorithms will also be checked during certification path 419 # building and validation, including algorithms used in certificates, as 420 # well as revocation information such as CRLs and signed OCSP Responses. 421 # This is in addition to the jdk.certpath.disabledAlgorithms property above. 422 # 423 # See the specification of "jdk.certpath.disabledAlgorithms" for the 424 # syntax of the disabled algorithm string. 425 # 426 # Note: This property is currently used by Oracle's JSSE implementation. 427 # It is not guaranteed to be examined and used by other implementations. 428 # 429 # Example: 430 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 431 jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768 432 433 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) 434 # processing in JSSE implementation. 435 # 436 # In some environments, a certain algorithm may be undesirable but it 437 # cannot be disabled because of its use in legacy applications. Legacy 438 # algorithms may still be supported, but applications should not use them 439 # as the security strength of legacy algorithms are usually not strong enough 440 # in practice. 441 # 442 # During SSL/TLS security parameters negotiation, legacy algorithms will 443 # not be negotiated unless there are no other candidates. 444 # 445 # The syntax of the disabled algorithm string is described as this Java 446 # BNF-style: 447 # LegacyAlgorithms: 448 # " LegacyAlgorithm { , LegacyAlgorithm } " 449 # 450 # LegacyAlgorithm: 451 # AlgorithmName (standard JSSE algorithm name) 452 # 453 # See the specification of security property "jdk.certpath.disabledAlgorithms" 454 # for the syntax and description of the "AlgorithmName" notation. 455 # 456 # Per SSL/TLS specifications, cipher suites have the form: 457 # SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg 458 # or 459 # TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg 460 # 461 # For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the 462 # key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC 463 # mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest 464 # algorithm for HMAC. 465 # 466 # The LegacyAlgorithm can be one of the following standard algorithm names: 467 # 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA 468 # 2. JSSE key exchange algorithm name, e.g., RSA 469 # 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC 470 # 4. JSSE message digest algorithm name, e.g., SHA 471 # 472 # See SSL/TLS specifications and "Java Cryptography Architecture Standard 473 # Algorithm Name Documentation" for information about the algorithm names. 474 # 475 # Note: This property is currently used by Oracle's JSSE implementation. 476 # It is not guaranteed to be examined and used by other implementations. 477 # There is no guarantee the property will continue to exist or be of the 478 # same syntax in future releases. 479 # 480 # Example: 481 # jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5 482 # 483 jdk.tls.legacyAlgorithms= \ 484 K_NULL, C_NULL, M_NULL, \ 485 DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \ 486 DH_RSA_EXPORT, RSA_EXPORT, \ 487 DH_anon, ECDH_anon, \ 488 RC4_128, RC4_40, DES_CBC, DES40_CBC 489 490 # The pre-defined default finite field Diffie-Hellman ephemeral (DHE) 491 # parameters for Transport Layer Security (SSL/TLS/DTLS) processing. 492 # 493 # In traditional SSL/TLS/DTLS connections where finite field DHE parameters 494 # negotiation mechanism is not used, the server offers the client group 495 # parameters, base generator g and prime modulus p, for DHE key exchange. 496 # It is recommended to use dynamic group parameters. This property defines 497 # a mechanism that allows you to specify custom group parameters. 498 # 499 # The syntax of this property string is described as this Java BNF-style: 500 # DefaultDHEParameters: 501 # DefinedDHEParameters { , DefinedDHEParameters } 502 # 503 # DefinedDHEParameters: 504 # "{" DHEPrimeModulus , DHEBaseGenerator "}" 505 # 506 # DHEPrimeModulus: 507 # HexadecimalDigits 508 # 509 # DHEBaseGenerator: 510 # HexadecimalDigits 511 # 512 # HexadecimalDigits: 513 # HexadecimalDigit { HexadecimalDigit } 514 # 515 # HexadecimalDigit: one of 516 # 0 1 2 3 4 5 6 7 8 9 A B C D E F a b c d e f 517 # 518 # Whitespace characters are ignored. 519 # 520 # The "DefinedDHEParameters" defines the custom group parameters, prime 521 # modulus p and base generator g, for a particular size of prime modulus p. 522 # The "DHEPrimeModulus" defines the hexadecimal prime modulus p, and the 523 # "DHEBaseGenerator" defines the hexadecimal base generator g of a group 524 # parameter. It is recommended to use safe primes for the custom group 525 # parameters. 526 # 527 # If this property is not defined or the value is empty, the underlying JSSE 528 # provider's default group parameter is used for each connection. 529 # 530 # If the property value does not follow the grammar, or a particular group 531 # parameter is not valid, the connection will fall back and use the 532 # underlying JSSE provider's default group parameter. 533 # 534 # Note: This property is currently used by OpenJDK's JSSE implementation. It 535 # is not guaranteed to be examined and used by other implementations. 536 # 537 # Example: 538 # jdk.tls.server.defaultDHEParameters= 539 # { \ 540 # FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \ 541 # 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \ 542 # EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \ 543 # E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \ 544 # EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \ 545 # FFFFFFFF FFFFFFFF, 2}