1 # 2 # This is the "master security properties file". 3 # 4 # In this file, various security properties are set for use by 5 # java.security classes. This is where users can statically register 6 # Cryptography Package Providers ("providers" for short). The term 7 # "provider" refers to a package or set of packages that supply a 8 # concrete implementation of a subset of the cryptography aspects of 9 # the Java Security API. A provider may, for example, implement one or 10 # more digital signature algorithms or message digest algorithms. 11 # 12 # Each provider must implement a subclass of the Provider class. 13 # To register a provider in this master security properties file, 14 # specify the Provider subclass name and priority in the format 15 # 16 # security.provider.<n>=<className> 17 # 18 # This declares a provider, and specifies its preference 19 # order n. The preference order is the order in which providers are 20 # searched for requested algorithms (when no specific provider is 21 # requested). The order is 1-based; 1 is the most preferred, followed 22 # by 2, and so on. 23 # 24 # <className> must specify the subclass of the Provider class whose 25 # constructor sets the values of various properties that are required 26 # for the Java Security API to look up the algorithms or other 27 # facilities implemented by the provider. 28 # 29 # There must be at least one provider specification in java.security. 30 # There is a default provider that comes standard with the JDK. It 31 # is called the "SUN" provider, and its Provider subclass 32 # named Sun appears in the sun.security.provider package. Thus, the 33 # "SUN" provider is registered via the following: 34 # 35 # security.provider.1=sun.security.provider.Sun 36 # 37 # (The number 1 is used for the default provider.) 38 # 39 # Note: Providers can be dynamically registered instead by calls to 40 # either the addProvider or insertProviderAt method in the Security 41 # class. 42 43 # 44 # List of providers and their preference orders (see above): 45 # 46 security.provider.1=sun.security.provider.Sun 47 security.provider.2=sun.security.rsa.SunRsaSign 48 security.provider.3=sun.security.ec.SunEC 49 security.provider.4=com.sun.net.ssl.internal.ssl.Provider 50 security.provider.5=com.sun.crypto.provider.SunJCE 51 security.provider.6=sun.security.jgss.SunProvider 52 security.provider.7=com.sun.security.sasl.Provider 53 security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI 54 security.provider.9=sun.security.smartcardio.SunPCSC 55 security.provider.10=sun.security.mscapi.SunMSCAPI 56 57 # 58 # Select the source of seed data for SecureRandom. By default an 59 # attempt is made to use the entropy gathering device specified by 60 # the securerandom.source property. If an exception occurs when 61 # accessing the URL then the traditional system/thread activity 62 # algorithm is used. 63 # 64 # On Solaris and Linux systems, if file:/dev/urandom is specified and it 65 # exists, a special SecureRandom implementation is activated by default. 66 # This "NativePRNG" reads random bytes directly from /dev/urandom. 67 # 68 # On Windows systems, the URLs file:/dev/random and file:/dev/urandom 69 # enables use of the Microsoft CryptoAPI seed functionality. 70 # 71 securerandom.source=file:/dev/urandom 72 # 73 # The entropy gathering device is described as a URL and can also 74 # be specified with the system property "java.security.egd". For example, 75 # -Djava.security.egd=file:/dev/urandom 76 # Specifying this system property will override the securerandom.source 77 # setting. 78 79 # 80 # Class to instantiate as the javax.security.auth.login.Configuration 81 # provider. 82 # 83 login.configuration.provider=com.sun.security.auth.login.ConfigFile 84 85 # 86 # Default login configuration file 87 # 88 #login.config.url.1=file:${user.home}/.java.login.config 89 90 # 91 # Class to instantiate as the system Policy. This is the name of the class 92 # that will be used as the Policy object. 93 # 94 policy.provider=sun.security.provider.PolicyFile 95 96 # The default is to have a single system-wide policy file, 97 # and a policy file in the user's home directory. 98 policy.url.1=file:${java.home}/lib/security/java.policy 99 policy.url.2=file:${user.home}/.java.policy 100 101 # whether or not we expand properties in the policy file 102 # if this is set to false, properties (${...}) will not be expanded in policy 103 # files. 104 policy.expandProperties=true 105 106 # whether or not we allow an extra policy to be passed on the command line 107 # with -Djava.security.policy=somefile. Comment out this line to disable 108 # this feature. 109 policy.allowSystemProperty=true 110 111 # whether or not we look into the IdentityScope for trusted Identities 112 # when encountering a 1.1 signed JAR file. If the identity is found 113 # and is trusted, we grant it AllPermission. 114 policy.ignoreIdentityScope=false 115 116 # 117 # Default keystore type. 118 # 119 keystore.type=jks 120 121 # 122 # List of comma-separated packages that start with or equal this string 123 # will cause a security exception to be thrown when 124 # passed to checkPackageAccess unless the 125 # corresponding RuntimePermission ("accessClassInPackage."+package) has 126 # been granted. 127 package.access=sun.,\ 128 com.sun.corba.se.impl.,\ 129 com.sun.xml.internal.,\ 130 com.sun.imageio.,\ 131 com.sun.istack.internal.,\ 132 com.sun.jmx.,\ 133 com.sun.proxy.,\ 134 com.sun.org.apache.bcel.internal.,\ 135 com.sun.org.apache.regexp.internal.,\ 136 com.sun.org.apache.xerces.internal.,\ 137 com.sun.org.apache.xpath.internal.,\ 138 com.sun.org.apache.xalan.internal.extensions.,\ 139 com.sun.org.apache.xalan.internal.lib.,\ 140 com.sun.org.apache.xalan.internal.res.,\ 141 com.sun.org.apache.xalan.internal.templates.,\ 142 com.sun.org.apache.xalan.internal.utils.,\ 143 com.sun.org.apache.xalan.internal.xslt.,\ 144 com.sun.org.apache.xalan.internal.xsltc.cmdline.,\ 145 com.sun.org.apache.xalan.internal.xsltc.compiler.,\ 146 com.sun.org.apache.xalan.internal.xsltc.trax.,\ 147 com.sun.org.apache.xalan.internal.xsltc.util.,\ 148 com.sun.org.apache.xml.internal.res.,\ 149 com.sun.org.apache.xml.internal.serializer.utils.,\ 150 com.sun.org.apache.xml.internal.utils.,\ 151 com.sun.org.apache.xml.internal.security.,\ 152 com.sun.org.glassfish.,\ 153 org.jcp.xml.dsig.internal.,\ 154 com.sun.java.accessibility.,\ 155 oracle.jrockit.jfr. 156 157 # 158 # List of comma-separated packages that start with or equal this string 159 # will cause a security exception to be thrown when 160 # passed to checkPackageDefinition unless the 161 # corresponding RuntimePermission ("defineClassInPackage."+package) has 162 # been granted. 163 # 164 # by default, none of the class loaders supplied with the JDK call 165 # checkPackageDefinition. 166 # 167 package.definition=sun.,\ 168 com.sun.corba.se.impl.,\ 169 com.sun.xml.internal.,\ 170 com.sun.imageio.,\ 171 com.sun.istack.internal.,\ 172 com.sun.jmx.,\ 173 com.sun.proxy.,\ 174 com.sun.org.apache.bcel.internal.,\ 175 com.sun.org.apache.regexp.internal.,\ 176 com.sun.org.apache.xerces.internal.,\ 177 com.sun.org.apache.xpath.internal.,\ 178 com.sun.org.apache.xalan.internal.extensions.,\ 179 com.sun.org.apache.xalan.internal.lib.,\ 180 com.sun.org.apache.xalan.internal.res.,\ 181 com.sun.org.apache.xalan.internal.templates.,\ 182 com.sun.org.apache.xalan.internal.utils.,\ 183 com.sun.org.apache.xalan.internal.xslt.,\ 184 com.sun.org.apache.xalan.internal.xsltc.cmdline.,\ 185 com.sun.org.apache.xalan.internal.xsltc.compiler.,\ 186 com.sun.org.apache.xalan.internal.xsltc.trax.,\ 187 com.sun.org.apache.xalan.internal.xsltc.util.,\ 188 com.sun.org.apache.xml.internal.res.,\ 189 com.sun.org.apache.xml.internal.serializer.utils.,\ 190 com.sun.org.apache.xml.internal.utils.,\ 191 com.sun.org.apache.xml.internal.security.,\ 192 com.sun.org.glassfish.,\ 193 org.jcp.xml.dsig.internal.,\ 194 com.sun.java.accessibility.,\ 195 oracle.jrockit.jfr. 196 197 # 198 # Determines whether this properties file can be appended to 199 # or overridden on the command line via -Djava.security.properties 200 # 201 security.overridePropertiesFile=true 202 203 # 204 # Determines the default key and trust manager factory algorithms for 205 # the javax.net.ssl package. 206 # 207 ssl.KeyManagerFactory.algorithm=SunX509 208 ssl.TrustManagerFactory.algorithm=PKIX 209 210 # 211 # The Java-level namelookup cache policy for successful lookups: 212 # 213 # any negative value: caching forever 214 # any positive value: the number of seconds to cache an address for 215 # zero: do not cache 216 # 217 # default value is forever (FOREVER). For security reasons, this 218 # caching is made forever when a security manager is set. When a security 219 # manager is not set, the default behavior in this implementation 220 # is to cache for 30 seconds. 221 # 222 # NOTE: setting this to anything other than the default value can have 223 # serious security implications. Do not set it unless 224 # you are sure you are not exposed to DNS spoofing attack. 225 # 226 #networkaddress.cache.ttl=-1 227 228 # The Java-level namelookup cache policy for failed lookups: 229 # 230 # any negative value: cache forever 231 # any positive value: the number of seconds to cache negative lookup results 232 # zero: do not cache 233 # 234 # In some Microsoft Windows networking environments that employ 235 # the WINS name service in addition to DNS, name service lookups 236 # that fail may take a noticeably long time to return (approx. 5 seconds). 237 # For this reason the default caching policy is to maintain these 238 # results for 10 seconds. 239 # 240 # 241 networkaddress.cache.negative.ttl=10 242 243 # 244 # Properties to configure OCSP for certificate revocation checking 245 # 246 247 # Enable OCSP 248 # 249 # By default, OCSP is not used for certificate revocation checking. 250 # This property enables the use of OCSP when set to the value "true". 251 # 252 # NOTE: SocketPermission is required to connect to an OCSP responder. 253 # 254 # Example, 255 # ocsp.enable=true 256 257 # 258 # Location of the OCSP responder 259 # 260 # By default, the location of the OCSP responder is determined implicitly 261 # from the certificate being validated. This property explicitly specifies 262 # the location of the OCSP responder. The property is used when the 263 # Authority Information Access extension (defined in RFC 3280) is absent 264 # from the certificate or when it requires overriding. 265 # 266 # Example, 267 # ocsp.responderURL=http://ocsp.example.net:80 268 269 # 270 # Subject name of the OCSP responder's certificate 271 # 272 # By default, the certificate of the OCSP responder is that of the issuer 273 # of the certificate being validated. This property identifies the certificate 274 # of the OCSP responder when the default does not apply. Its value is a string 275 # distinguished name (defined in RFC 2253) which identifies a certificate in 276 # the set of certificates supplied during cert path validation. In cases where 277 # the subject name alone is not sufficient to uniquely identify the certificate 278 # then both the "ocsp.responderCertIssuerName" and 279 # "ocsp.responderCertSerialNumber" properties must be used instead. When this 280 # property is set then those two properties are ignored. 281 # 282 # Example, 283 # ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp" 284 285 # 286 # Issuer name of the OCSP responder's certificate 287 # 288 # By default, the certificate of the OCSP responder is that of the issuer 289 # of the certificate being validated. This property identifies the certificate 290 # of the OCSP responder when the default does not apply. Its value is a string 291 # distinguished name (defined in RFC 2253) which identifies a certificate in 292 # the set of certificates supplied during cert path validation. When this 293 # property is set then the "ocsp.responderCertSerialNumber" property must also 294 # be set. When the "ocsp.responderCertSubjectName" property is set then this 295 # property is ignored. 296 # 297 # Example, 298 # ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp" 299 300 # 301 # Serial number of the OCSP responder's certificate 302 # 303 # By default, the certificate of the OCSP responder is that of the issuer 304 # of the certificate being validated. This property identifies the certificate 305 # of the OCSP responder when the default does not apply. Its value is a string 306 # of hexadecimal digits (colon or space separators may be present) which 307 # identifies a certificate in the set of certificates supplied during cert path 308 # validation. When this property is set then the "ocsp.responderCertIssuerName" 309 # property must also be set. When the "ocsp.responderCertSubjectName" property 310 # is set then this property is ignored. 311 # 312 # Example, 313 # ocsp.responderCertSerialNumber=2A:FF:00 314 315 # 316 # Policy for failed Kerberos KDC lookups: 317 # 318 # When a KDC is unavailable (network error, service failure, etc), it is 319 # put inside a blacklist and accessed less often for future requests. The 320 # value (case-insensitive) for this policy can be: 321 # 322 # tryLast 323 # KDCs in the blacklist are always tried after those not on the list. 324 # 325 # tryLess[:max_retries,timeout] 326 # KDCs in the blacklist are still tried by their order in the configuration, 327 # but with smaller max_retries and timeout values. max_retries and timeout 328 # are optional numerical parameters (default 1 and 5000, which means once 329 # and 5 seconds). Please notes that if any of the values defined here is 330 # more than what is defined in krb5.conf, it will be ignored. 331 # 332 # Whenever a KDC is detected as available, it is removed from the blacklist. 333 # The blacklist is reset when krb5.conf is reloaded. You can add 334 # refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is 335 # reloaded whenever a JAAS authentication is attempted. 336 # 337 # Example, 338 # krb5.kdc.bad.policy = tryLast 339 # krb5.kdc.bad.policy = tryLess:2,2000 340 krb5.kdc.bad.policy = tryLast 341 342 # Algorithm restrictions for certification path (CertPath) processing 343 # 344 # In some environments, certain algorithms or key lengths may be undesirable 345 # for certification path building and validation. For example, "MD2" is 346 # generally no longer considered to be a secure hash algorithm. This section 347 # describes the mechanism for disabling algorithms based on algorithm name 348 # and/or key length. This includes algorithms used in certificates, as well 349 # as revocation information such as CRLs and signed OCSP Responses. 350 # 351 # The syntax of the disabled algorithm string is described as this Java 352 # BNF-style: 353 # DisabledAlgorithms: 354 # " DisabledAlgorithm { , DisabledAlgorithm } " 355 # 356 # DisabledAlgorithm: 357 # AlgorithmName [Constraint] 358 # 359 # AlgorithmName: 360 # (see below) 361 # 362 # Constraint: 363 # KeySizeConstraint 364 # 365 # KeySizeConstraint: 366 # keySize Operator DecimalInteger 367 # 368 # Operator: 369 # <= | < | == | != | >= | > 370 # 371 # DecimalInteger: 372 # DecimalDigits 373 # 374 # DecimalDigits: 375 # DecimalDigit {DecimalDigit} 376 # 377 # DecimalDigit: one of 378 # 1 2 3 4 5 6 7 8 9 0 379 # 380 # The "AlgorithmName" is the standard algorithm name of the disabled 381 # algorithm. See "Java Cryptography Architecture Standard Algorithm Name 382 # Documentation" for information about Standard Algorithm Names. Matching 383 # is performed using a case-insensitive sub-element matching rule. (For 384 # example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and 385 # "ECDSA" for signatures.) If the assertion "AlgorithmName" is a 386 # sub-element of the certificate algorithm name, the algorithm will be 387 # rejected during certification path building and validation. For example, 388 # the assertion algorithm name "DSA" will disable all certificate algorithms 389 # that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion 390 # will not disable algorithms related to "ECDSA". 391 # 392 # A "Constraint" provides further guidance for the algorithm being specified. 393 # The "KeySizeConstraint" requires a key of a valid size range if the 394 # "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the 395 # key size specified in number of bits. For example, "RSA keySize <= 1024" 396 # indicates that any RSA key with key size less than or equal to 1024 bits 397 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates 398 # that any RSA key with key size less than 1024 or greater than 2048 should 399 # be disabled. Note that the "KeySizeConstraint" only makes sense to key 400 # algorithms. 401 # 402 # Note: This property is currently used by Oracle's PKIX implementation. It 403 # is not guaranteed to be examined and used by other implementations. 404 # 405 # Example: 406 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 407 # 408 # 409 jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 410 411 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security 412 # (SSL/TLS) processing 413 # 414 # In some environments, certain algorithms or key lengths may be undesirable 415 # when using SSL/TLS. This section describes the mechanism for disabling 416 # algorithms during SSL/TLS security parameters negotiation, including cipher 417 # suites selection, peer authentication and key exchange mechanisms. 418 # 419 # For PKI-based peer authentication and key exchange mechanisms, this list 420 # of disabled algorithms will also be checked during certification path 421 # building and validation, including algorithms used in certificates, as 422 # well as revocation information such as CRLs and signed OCSP Responses. 423 # This is in addition to the jdk.certpath.disabledAlgorithms property above. 424 # 425 # See the specification of "jdk.certpath.disabledAlgorithms" for the 426 # syntax of the disabled algorithm string. 427 # 428 # Note: This property is currently used by Oracle's JSSE implementation. 429 # It is not guaranteed to be examined and used by other implementations. 430 # 431 # Example: 432 # jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 433