361 # property is ignored.
362 #
363 # Example,
364 # ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
365
366 #
367 # Serial number of the OCSP responder's certificate
368 #
369 # By default, the certificate of the OCSP responder is that of the issuer
370 # of the certificate being validated. This property identifies the certificate
371 # of the OCSP responder when the default does not apply. Its value is a string
372 # of hexadecimal digits (colon or space separators may be present) which
373 # identifies a certificate in the set of certificates supplied during cert path
374 # validation. When this property is set then the "ocsp.responderCertIssuerName"
375 # property must also be set. When the "ocsp.responderCertSubjectName" property
376 # is set then this property is ignored.
377 #
378 # Example,
379 # ocsp.responderCertSerialNumber=2A:FF:00
380
381 #
382 # Policy for failed Kerberos KDC lookups:
383 #
384 # When a KDC is unavailable (network error, service failure, etc), it is
385 # put inside a blacklist and accessed less often for future requests. The
386 # value (case-insensitive) for this policy can be:
387 #
388 # tryLast
389 # KDCs in the blacklist are always tried after those not on the list.
390 #
391 # tryLess[:max_retries,timeout]
392 # KDCs in the blacklist are still tried by their order in the configuration,
393 # but with smaller max_retries and timeout values. max_retries and timeout
394 # are optional numerical parameters (default 1 and 5000, which means once
395 # and 5 seconds). Please notes that if any of the values defined here is
396 # more than what is defined in krb5.conf, it will be ignored.
397 #
398 # Whenever a KDC is detected as available, it is removed from the blacklist.
399 # The blacklist is reset when krb5.conf is reloaded. You can add
400 # refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
401 # reloaded whenever a JAAS authentication is attempted.
402 #
403 # Example,
404 # krb5.kdc.bad.policy = tryLast
405 # krb5.kdc.bad.policy = tryLess:2,2000
406 krb5.kdc.bad.policy = tryLast
407
408 # Algorithm restrictions for certification path (CertPath) processing
409 #
410 # In some environments, certain algorithms or key lengths may be undesirable
411 # for certification path building and validation. For example, "MD2" is
412 # generally no longer considered to be a secure hash algorithm. This section
413 # describes the mechanism for disabling algorithms based on algorithm name
414 # and/or key length. This includes algorithms used in certificates, as well
415 # as revocation information such as CRLs and signed OCSP Responses.
416 #
417 # The syntax of the disabled algorithm string is described as this Java
418 # BNF-style:
419 # DisabledAlgorithms:
420 # " DisabledAlgorithm { , DisabledAlgorithm } "
421 #
422 # DisabledAlgorithm:
423 # AlgorithmName [Constraint]
424 #
425 # AlgorithmName:
426 # (see below)
427 #
|
361 # property is ignored.
362 #
363 # Example,
364 # ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
365
366 #
367 # Serial number of the OCSP responder's certificate
368 #
369 # By default, the certificate of the OCSP responder is that of the issuer
370 # of the certificate being validated. This property identifies the certificate
371 # of the OCSP responder when the default does not apply. Its value is a string
372 # of hexadecimal digits (colon or space separators may be present) which
373 # identifies a certificate in the set of certificates supplied during cert path
374 # validation. When this property is set then the "ocsp.responderCertIssuerName"
375 # property must also be set. When the "ocsp.responderCertSubjectName" property
376 # is set then this property is ignored.
377 #
378 # Example,
379 # ocsp.responderCertSerialNumber=2A:FF:00
380
381 # Algorithm restrictions for certification path (CertPath) processing
382 #
383 # In some environments, certain algorithms or key lengths may be undesirable
384 # for certification path building and validation. For example, "MD2" is
385 # generally no longer considered to be a secure hash algorithm. This section
386 # describes the mechanism for disabling algorithms based on algorithm name
387 # and/or key length. This includes algorithms used in certificates, as well
388 # as revocation information such as CRLs and signed OCSP Responses.
389 #
390 # The syntax of the disabled algorithm string is described as this Java
391 # BNF-style:
392 # DisabledAlgorithms:
393 # " DisabledAlgorithm { , DisabledAlgorithm } "
394 #
395 # DisabledAlgorithm:
396 # AlgorithmName [Constraint]
397 #
398 # AlgorithmName:
399 # (see below)
400 #
|