jdk Sdiff src/share/lib/security

src/share/lib/security/java.security-linux

rev 10173 : 8014870: Faster KDC availability check in Kerberos

 361 # property is ignored.
 362 #
 363 # Example,
 364 #   ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
 365 
 366 #
 367 # Serial number of the OCSP responder's certificate
 368 #
 369 # By default, the certificate of the OCSP responder is that of the issuer
 370 # of the certificate being validated. This property identifies the certificate
 371 # of the OCSP responder when the default does not apply. Its value is a string
 372 # of hexadecimal digits (colon or space separators may be present) which
 373 # identifies a certificate in the set of certificates supplied during cert path
 374 # validation. When this property is set then the "ocsp.responderCertIssuerName"
 375 # property must also be set. When the "ocsp.responderCertSubjectName" property
 376 # is set then this property is ignored.
 377 #
 378 # Example,
 379 #   ocsp.responderCertSerialNumber=2A:FF:00
 380 
 381 #
 382 # Policy for failed Kerberos KDC lookups:
 383 #
 384 # When a KDC is unavailable (network error, service failure, etc), it is
 385 # put inside a blacklist and accessed less often for future requests. The
 386 # value (case-insensitive) for this policy can be:
 387 #
 388 # tryLast
 389 #    KDCs in the blacklist are always tried after those not on the list.
 390 #
 391 # tryLess[:max_retries,timeout]
 392 #    KDCs in the blacklist are still tried by their order in the configuration,
 393 #    but with smaller max_retries and timeout values. max_retries and timeout
 394 #    are optional numerical parameters (default 1 and 5000, which means once
 395 #    and 5 seconds). Please notes that if any of the values defined here is
 396 #    more than what is defined in krb5.conf, it will be ignored.
 397 #
 398 # Whenever a KDC is detected as available, it is removed from the blacklist.
 399 # The blacklist is reset when krb5.conf is reloaded. You can add
 400 # refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
 401 # reloaded whenever a JAAS authentication is attempted.
 402 #
 403 # Example,
 404 #   krb5.kdc.bad.policy = tryLast
 405 #   krb5.kdc.bad.policy = tryLess:2,2000
 406 krb5.kdc.bad.policy = tryLast
 407 
 408 # Algorithm restrictions for certification path (CertPath) processing
 409 #
 410 # In some environments, certain algorithms or key lengths may be undesirable
 411 # for certification path building and validation.  For example, "MD2" is
 412 # generally no longer considered to be a secure hash algorithm.  This section
 413 # describes the mechanism for disabling algorithms based on algorithm name
 414 # and/or key length.  This includes algorithms used in certificates, as well
 415 # as revocation information such as CRLs and signed OCSP Responses.
 416 #
 417 # The syntax of the disabled algorithm string is described as this Java
 418 # BNF-style:
 419 #   DisabledAlgorithms:
 420 #       " DisabledAlgorithm { , DisabledAlgorithm } "
 421 #
 422 #   DisabledAlgorithm:
 423 #       AlgorithmName [Constraint]
 424 #
 425 #   AlgorithmName:
 426 #       (see below)
 427 #

 361 # property is ignored.
 362 #
 363 # Example,
 364 #   ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
 365 
 366 #
 367 # Serial number of the OCSP responder's certificate
 368 #
 369 # By default, the certificate of the OCSP responder is that of the issuer
 370 # of the certificate being validated. This property identifies the certificate
 371 # of the OCSP responder when the default does not apply. Its value is a string
 372 # of hexadecimal digits (colon or space separators may be present) which
 373 # identifies a certificate in the set of certificates supplied during cert path
 374 # validation. When this property is set then the "ocsp.responderCertIssuerName"
 375 # property must also be set. When the "ocsp.responderCertSubjectName" property
 376 # is set then this property is ignored.
 377 #
 378 # Example,
 379 #   ocsp.responderCertSerialNumber=2A:FF:00
 380 



























 381 # Algorithm restrictions for certification path (CertPath) processing
 382 #
 383 # In some environments, certain algorithms or key lengths may be undesirable
 384 # for certification path building and validation.  For example, "MD2" is
 385 # generally no longer considered to be a secure hash algorithm.  This section
 386 # describes the mechanism for disabling algorithms based on algorithm name
 387 # and/or key length.  This includes algorithms used in certificates, as well
 388 # as revocation information such as CRLs and signed OCSP Responses.
 389 #
 390 # The syntax of the disabled algorithm string is described as this Java
 391 # BNF-style:
 392 #   DisabledAlgorithms:
 393 #       " DisabledAlgorithm { , DisabledAlgorithm } "
 394 #
 395 #   DisabledAlgorithm:
 396 #       AlgorithmName [Constraint]
 397 #
 398 #   AlgorithmName:
 399 #       (see below)
 400 #