1 #
2 # This is the "master security properties file".
3 #
4 # In this file, various security properties are set for use by
5 # java.security classes. This is where users can statically register
6 # Cryptography Package Providers ("providers" for short). The term
7 # "provider" refers to a package or set of packages that supply a
8 # concrete implementation of a subset of the cryptography aspects of
9 # the Java Security API. A provider may, for example, implement one or
10 # more digital signature algorithms or message digest algorithms.
11 #
12 # Each provider must implement a subclass of the Provider class.
13 # To register a provider in this master security properties file,
14 # specify the Provider subclass name and priority in the format
15 #
16 # security.provider.<n>=<className>
17 #
18 # This declares a provider, and specifies its preference
19 # order n. The preference order is the order in which providers are
20 # searched for requested algorithms (when no specific provider is
21 # requested). The order is 1-based; 1 is the most preferred, followed
22 # by 2, and so on.
23 #
24 # <className> must specify the subclass of the Provider class whose
25 # constructor sets the values of various properties that are required
26 # for the Java Security API to look up the algorithms or other
27 # facilities implemented by the provider.
28 #
29 # There must be at least one provider specification in java.security.
30 # There is a default provider that comes standard with the JDK. It
31 # is called the "SUN" provider, and its Provider subclass
32 # named Sun appears in the sun.security.provider package. Thus, the
33 # "SUN" provider is registered via the following:
34 #
35 # security.provider.1=sun.security.provider.Sun
36 #
37 # (The number 1 is used for the default provider.)
38 #
39 # Note: Providers can be dynamically registered instead by calls to
40 # either the addProvider or insertProviderAt method in the Security
41 # class.
42
43 #
44 # List of providers and their preference orders (see above):
45 #
46 security.provider.1=sun.security.provider.Sun
47 security.provider.2=sun.security.rsa.SunRsaSign
48 security.provider.3=sun.security.ec.SunEC
49 security.provider.4=com.sun.net.ssl.internal.ssl.Provider
50 security.provider.5=com.sun.crypto.provider.SunJCE
51 security.provider.6=sun.security.jgss.SunProvider
52 security.provider.7=com.sun.security.sasl.Provider
53 security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
54 security.provider.9=sun.security.smartcardio.SunPCSC
55
56 #
57 # Select the source of seed data for SecureRandom. By default an
58 # attempt is made to use the entropy gathering device specified by
59 # the securerandom.source property. If an exception occurs when
60 # accessing the URL then the traditional system/thread activity
61 # algorithm is used.
62 #
63 # On Solaris and Linux systems, if file:/dev/urandom is specified and it
64 # exists, a special SecureRandom implementation is activated by default.
65 # This "NativePRNG" reads random bytes directly from /dev/urandom.
66 #
67 # On Windows systems, the URLs file:/dev/random and file:/dev/urandom
68 # enables use of the Microsoft CryptoAPI seed functionality.
69 #
70 securerandom.source=file:/dev/urandom
71 #
72 # The entropy gathering device is described as a URL and can also
73 # be specified with the system property "java.security.egd". For example,
74 # -Djava.security.egd=file:/dev/urandom
75 # Specifying this system property will override the securerandom.source
76 # setting.
77
78 #
79 # Class to instantiate as the javax.security.auth.login.Configuration
80 # provider.
81 #
82 login.configuration.provider=com.sun.security.auth.login.ConfigFile
83
84 #
85 # Default login configuration file
86 #
87 #login.config.url.1=file:${user.home}/.java.login.config
88
89 #
90 # Class to instantiate as the system Policy. This is the name of the class
91 # that will be used as the Policy object.
92 #
93 policy.provider=sun.security.provider.PolicyFile
94
95 # The default is to have a single system-wide policy file,
96 # and a policy file in the user's home directory.
97 policy.url.1=file:${java.home}/lib/security/java.policy
98 policy.url.2=file:${user.home}/.java.policy
99
100 # whether or not we expand properties in the policy file
101 # if this is set to false, properties (${...}) will not be expanded in policy
102 # files.
103 policy.expandProperties=true
104
105 # whether or not we allow an extra policy to be passed on the command line
106 # with -Djava.security.policy=somefile. Comment out this line to disable
107 # this feature.
108 policy.allowSystemProperty=true
109
110 # whether or not we look into the IdentityScope for trusted Identities
111 # when encountering a 1.1 signed JAR file. If the identity is found
112 # and is trusted, we grant it AllPermission.
113 policy.ignoreIdentityScope=false
114
115 #
116 # Default keystore type.
117 #
118 keystore.type=jks
119
120 #
121 # List of comma-separated packages that start with or equal this string
122 # will cause a security exception to be thrown when
123 # passed to checkPackageAccess unless the
124 # corresponding RuntimePermission ("accessClassInPackage."+package) has
125 # been granted.
126 package.access=sun.,\
127 com.sun.corba.se.impl.,\
128 com.sun.xml.internal.,\
129 com.sun.imageio.,\
130 com.sun.istack.internal.,\
131 com.sun.jmx.,\
132 com.sun.proxy.,\
133 com.sun.org.apache.bcel.internal.,\
134 com.sun.org.apache.regexp.internal.,\
135 com.sun.org.apache.xerces.internal.,\
136 com.sun.org.apache.xpath.internal.,\
137 com.sun.org.apache.xalan.internal.extensions.,\
138 com.sun.org.apache.xalan.internal.lib.,\
139 com.sun.org.apache.xalan.internal.res.,\
140 com.sun.org.apache.xalan.internal.templates.,\
141 com.sun.org.apache.xalan.internal.utils.,\
142 com.sun.org.apache.xalan.internal.xslt.,\
143 com.sun.org.apache.xalan.internal.xsltc.cmdline.,\
144 com.sun.org.apache.xalan.internal.xsltc.compiler.,\
145 com.sun.org.apache.xalan.internal.xsltc.trax.,\
146 com.sun.org.apache.xalan.internal.xsltc.util.,\
147 com.sun.org.apache.xml.internal.res.,\
148 com.sun.org.apache.xml.internal.serializer.utils.,\
149 com.sun.org.apache.xml.internal.utils.,\
150 com.sun.org.apache.xml.internal.security.,\
151 com.sun.org.glassfish.,\
152 org.jcp.xml.dsig.internal.,\
153 oracle.jrockit.jfr.
154 #
155 # List of comma-separated packages that start with or equal this string
156 # will cause a security exception to be thrown when
157 # passed to checkPackageDefinition unless the
158 # corresponding RuntimePermission ("defineClassInPackage."+package) has
159 # been granted.
160 #
161 # by default, none of the class loaders supplied with the JDK call
162 # checkPackageDefinition.
163 #
164 package.definition=sun.,\
165 com.sun.corba.se.impl.,\
166 com.sun.xml.internal.,\
167 com.sun.imageio.,\
168 com.sun.istack.internal.,\
169 com.sun.jmx.,\
170 com.sun.proxy.,\
171 com.sun.org.apache.bcel.internal.,\
172 com.sun.org.apache.regexp.internal.,\
173 com.sun.org.apache.xerces.internal.,\
174 com.sun.org.apache.xpath.internal.,\
175 com.sun.org.apache.xalan.internal.extensions.,\
176 com.sun.org.apache.xalan.internal.lib.,\
177 com.sun.org.apache.xalan.internal.res.,\
178 com.sun.org.apache.xalan.internal.templates.,\
179 com.sun.org.apache.xalan.internal.utils.,\
180 com.sun.org.apache.xalan.internal.xslt.,\
181 com.sun.org.apache.xalan.internal.xsltc.cmdline.,\
182 com.sun.org.apache.xalan.internal.xsltc.compiler.,\
183 com.sun.org.apache.xalan.internal.xsltc.trax.,\
184 com.sun.org.apache.xalan.internal.xsltc.util.,\
185 com.sun.org.apache.xml.internal.res.,\
186 com.sun.org.apache.xml.internal.serializer.utils.,\
187 com.sun.org.apache.xml.internal.utils.,\
188 com.sun.org.apache.xml.internal.security.,\
189 com.sun.org.glassfish.,\
190 org.jcp.xml.dsig.internal.,\
191 oracle.jrockit.jfr.
192 #
193 # Determines whether this properties file can be appended to
194 # or overridden on the command line via -Djava.security.properties
195 #
196 security.overridePropertiesFile=true
197
198 #
199 # Determines the default key and trust manager factory algorithms for
200 # the javax.net.ssl package.
201 #
202 ssl.KeyManagerFactory.algorithm=SunX509
203 ssl.TrustManagerFactory.algorithm=PKIX
204
205 #
206 # The Java-level namelookup cache policy for successful lookups:
207 #
208 # any negative value: caching forever
209 # any positive value: the number of seconds to cache an address for
210 # zero: do not cache
211 #
212 # default value is forever (FOREVER). For security reasons, this
213 # caching is made forever when a security manager is set. When a security
214 # manager is not set, the default behavior in this implementation
215 # is to cache for 30 seconds.
216 #
217 # NOTE: setting this to anything other than the default value can have
218 # serious security implications. Do not set it unless
219 # you are sure you are not exposed to DNS spoofing attack.
220 #
221 #networkaddress.cache.ttl=-1
222
223 # The Java-level namelookup cache policy for failed lookups:
224 #
225 # any negative value: cache forever
226 # any positive value: the number of seconds to cache negative lookup results
227 # zero: do not cache
228 #
229 # In some Microsoft Windows networking environments that employ
230 # the WINS name service in addition to DNS, name service lookups
231 # that fail may take a noticeably long time to return (approx. 5 seconds).
232 # For this reason the default caching policy is to maintain these
233 # results for 10 seconds.
234 #
235 #
236 networkaddress.cache.negative.ttl=10
237
238 #
239 # Properties to configure OCSP for certificate revocation checking
240 #
241
242 # Enable OCSP
243 #
244 # By default, OCSP is not used for certificate revocation checking.
245 # This property enables the use of OCSP when set to the value "true".
246 #
247 # NOTE: SocketPermission is required to connect to an OCSP responder.
248 #
249 # Example,
250 # ocsp.enable=true
251
252 #
253 # Location of the OCSP responder
254 #
255 # By default, the location of the OCSP responder is determined implicitly
256 # from the certificate being validated. This property explicitly specifies
257 # the location of the OCSP responder. The property is used when the
258 # Authority Information Access extension (defined in RFC 3280) is absent
259 # from the certificate or when it requires overriding.
260 #
261 # Example,
262 # ocsp.responderURL=http://ocsp.example.net:80
263
264 #
265 # Subject name of the OCSP responder's certificate
266 #
267 # By default, the certificate of the OCSP responder is that of the issuer
268 # of the certificate being validated. This property identifies the certificate
269 # of the OCSP responder when the default does not apply. Its value is a string
270 # distinguished name (defined in RFC 2253) which identifies a certificate in
271 # the set of certificates supplied during cert path validation. In cases where
272 # the subject name alone is not sufficient to uniquely identify the certificate
273 # then both the "ocsp.responderCertIssuerName" and
274 # "ocsp.responderCertSerialNumber" properties must be used instead. When this
275 # property is set then those two properties are ignored.
276 #
277 # Example,
278 # ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
279
280 #
281 # Issuer name of the OCSP responder's certificate
282 #
283 # By default, the certificate of the OCSP responder is that of the issuer
284 # of the certificate being validated. This property identifies the certificate
285 # of the OCSP responder when the default does not apply. Its value is a string
286 # distinguished name (defined in RFC 2253) which identifies a certificate in
287 # the set of certificates supplied during cert path validation. When this
288 # property is set then the "ocsp.responderCertSerialNumber" property must also
289 # be set. When the "ocsp.responderCertSubjectName" property is set then this
290 # property is ignored.
291 #
292 # Example,
293 # ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
294
295 #
296 # Serial number of the OCSP responder's certificate
297 #
298 # By default, the certificate of the OCSP responder is that of the issuer
299 # of the certificate being validated. This property identifies the certificate
300 # of the OCSP responder when the default does not apply. Its value is a string
301 # of hexadecimal digits (colon or space separators may be present) which
302 # identifies a certificate in the set of certificates supplied during cert path
303 # validation. When this property is set then the "ocsp.responderCertIssuerName"
304 # property must also be set. When the "ocsp.responderCertSubjectName" property
305 # is set then this property is ignored.
306 #
307 # Example,
308 # ocsp.responderCertSerialNumber=2A:FF:00
309
310 #
311 # Policy for failed Kerberos KDC lookups:
312 #
313 # When a KDC is unavailable (network error, service failure, etc), it is
314 # put inside a blacklist and accessed less often for future requests. The
315 # value (case-insensitive) for this policy can be:
316 #
317 # tryLast
318 # KDCs in the blacklist are always tried after those not on the list.
319 #
320 # tryLess[:max_retries,timeout]
321 # KDCs in the blacklist are still tried by their order in the configuration,
322 # but with smaller max_retries and timeout values. max_retries and timeout
323 # are optional numerical parameters (default 1 and 5000, which means once
324 # and 5 seconds). Please notes that if any of the values defined here is
325 # more than what is defined in krb5.conf, it will be ignored.
326 #
327 # Whenever a KDC is detected as available, it is removed from the blacklist.
328 # The blacklist is reset when krb5.conf is reloaded. You can add
329 # refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
330 # reloaded whenever a JAAS authentication is attempted.
331 #
332 # Example,
333 # krb5.kdc.bad.policy = tryLast
334 # krb5.kdc.bad.policy = tryLess:2,2000
335 krb5.kdc.bad.policy = tryLast
336
337 # Algorithm restrictions for certification path (CertPath) processing
338 #
339 # In some environments, certain algorithms or key lengths may be undesirable
340 # for certification path building and validation. For example, "MD2" is
341 # generally no longer considered to be a secure hash algorithm. This section
342 # describes the mechanism for disabling algorithms based on algorithm name
343 # and/or key length. This includes algorithms used in certificates, as well
344 # as revocation information such as CRLs and signed OCSP Responses.
345 #
346 # The syntax of the disabled algorithm string is described as this Java
347 # BNF-style:
348 # DisabledAlgorithms:
349 # " DisabledAlgorithm { , DisabledAlgorithm } "
350 #
351 # DisabledAlgorithm:
352 # AlgorithmName [Constraint]
353 #
354 # AlgorithmName:
355 # (see below)
356 #
357 # Constraint:
358 # KeySizeConstraint
359 #
360 # KeySizeConstraint:
361 # keySize Operator DecimalInteger
362 #
363 # Operator:
364 # <= | < | == | != | >= | >
365 #
366 # DecimalInteger:
367 # DecimalDigits
368 #
369 # DecimalDigits:
370 # DecimalDigit {DecimalDigit}
371 #
372 # DecimalDigit: one of
373 # 1 2 3 4 5 6 7 8 9 0
374 #
375 # The "AlgorithmName" is the standard algorithm name of the disabled
376 # algorithm. See "Java Cryptography Architecture Standard Algorithm Name
377 # Documentation" for information about Standard Algorithm Names. Matching
378 # is performed using a case-insensitive sub-element matching rule. (For
379 # example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
380 # "ECDSA" for signatures.) If the assertion "AlgorithmName" is a
381 # sub-element of the certificate algorithm name, the algorithm will be
382 # rejected during certification path building and validation. For example,
383 # the assertion algorithm name "DSA" will disable all certificate algorithms
384 # that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
385 # will not disable algorithms related to "ECDSA".
386 #
387 # A "Constraint" provides further guidance for the algorithm being specified.
388 # The "KeySizeConstraint" requires a key of a valid size range if the
389 # "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
390 # key size specified in number of bits. For example, "RSA keySize <= 1024"
391 # indicates that any RSA key with key size less than or equal to 1024 bits
392 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
393 # that any RSA key with key size less than 1024 or greater than 2048 should
394 # be disabled. Note that the "KeySizeConstraint" only makes sense to key
395 # algorithms.
396 #
397 # Note: This property is currently used by Oracle's PKIX implementation. It
398 # is not guaranteed to be examined and used by other implementations.
399 #
400 # Example:
401 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
402 #
403 #
404 jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
405
406 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
407 # (SSL/TLS) processing
408 #
409 # In some environments, certain algorithms or key lengths may be undesirable
410 # when using SSL/TLS. This section describes the mechanism for disabling
411 # algorithms during SSL/TLS security parameters negotiation, including cipher
412 # suites selection, peer authentication and key exchange mechanisms.
413 #
414 # For PKI-based peer authentication and key exchange mechanisms, this list
415 # of disabled algorithms will also be checked during certification path
416 # building and validation, including algorithms used in certificates, as
417 # well as revocation information such as CRLs and signed OCSP Responses.
418 # This is in addition to the jdk.certpath.disabledAlgorithms property above.
419 #
420 # See the specification of "jdk.certpath.disabledAlgorithms" for the
421 # syntax of the disabled algorithm string.
422 #
423 # Note: This property is currently used by Oracle's JSSE implementation.
424 # It is not guaranteed to be examined and used by other implementations.
425 #
426 # Example:
427 # jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
428