jdk Sdiff src/share/lib/security

src/share/lib/security/java.security-windows

rev 10173 : 8014870: Faster KDC availability check in Kerberos

 362 # property is ignored.
 363 #
 364 # Example,
 365 #   ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
 366 
 367 #
 368 # Serial number of the OCSP responder's certificate
 369 #
 370 # By default, the certificate of the OCSP responder is that of the issuer
 371 # of the certificate being validated. This property identifies the certificate
 372 # of the OCSP responder when the default does not apply. Its value is a string
 373 # of hexadecimal digits (colon or space separators may be present) which
 374 # identifies a certificate in the set of certificates supplied during cert path
 375 # validation. When this property is set then the "ocsp.responderCertIssuerName"
 376 # property must also be set. When the "ocsp.responderCertSubjectName" property
 377 # is set then this property is ignored.
 378 #
 379 # Example,
 380 #   ocsp.responderCertSerialNumber=2A:FF:00
 381 
 382 #
 383 # Policy for failed Kerberos KDC lookups:
 384 #
 385 # When a KDC is unavailable (network error, service failure, etc), it is
 386 # put inside a blacklist and accessed less often for future requests. The
 387 # value (case-insensitive) for this policy can be:
 388 #
 389 # tryLast
 390 #    KDCs in the blacklist are always tried after those not on the list.
 391 #
 392 # tryLess[:max_retries,timeout]
 393 #    KDCs in the blacklist are still tried by their order in the configuration,
 394 #    but with smaller max_retries and timeout values. max_retries and timeout
 395 #    are optional numerical parameters (default 1 and 5000, which means once
 396 #    and 5 seconds). Please notes that if any of the values defined here is
 397 #    more than what is defined in krb5.conf, it will be ignored.
 398 #
 399 # Whenever a KDC is detected as available, it is removed from the blacklist.
 400 # The blacklist is reset when krb5.conf is reloaded. You can add
 401 # refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
 402 # reloaded whenever a JAAS authentication is attempted.
 403 #
 404 # Example,
 405 #   krb5.kdc.bad.policy = tryLast
 406 #   krb5.kdc.bad.policy = tryLess:2,2000
 407 krb5.kdc.bad.policy = tryLast
 408 
 409 # Algorithm restrictions for certification path (CertPath) processing
 410 #
 411 # In some environments, certain algorithms or key lengths may be undesirable
 412 # for certification path building and validation.  For example, "MD2" is
 413 # generally no longer considered to be a secure hash algorithm.  This section
 414 # describes the mechanism for disabling algorithms based on algorithm name
 415 # and/or key length.  This includes algorithms used in certificates, as well
 416 # as revocation information such as CRLs and signed OCSP Responses.
 417 #
 418 # The syntax of the disabled algorithm string is described as this Java
 419 # BNF-style:
 420 #   DisabledAlgorithms:
 421 #       " DisabledAlgorithm { , DisabledAlgorithm } "
 422 #
 423 #   DisabledAlgorithm:
 424 #       AlgorithmName [Constraint]
 425 #
 426 #   AlgorithmName:
 427 #       (see below)
 428 #

 362 # property is ignored.
 363 #
 364 # Example,
 365 #   ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
 366 
 367 #
 368 # Serial number of the OCSP responder's certificate
 369 #
 370 # By default, the certificate of the OCSP responder is that of the issuer
 371 # of the certificate being validated. This property identifies the certificate
 372 # of the OCSP responder when the default does not apply. Its value is a string
 373 # of hexadecimal digits (colon or space separators may be present) which
 374 # identifies a certificate in the set of certificates supplied during cert path
 375 # validation. When this property is set then the "ocsp.responderCertIssuerName"
 376 # property must also be set. When the "ocsp.responderCertSubjectName" property
 377 # is set then this property is ignored.
 378 #
 379 # Example,
 380 #   ocsp.responderCertSerialNumber=2A:FF:00
 381 



























 382 # Algorithm restrictions for certification path (CertPath) processing
 383 #
 384 # In some environments, certain algorithms or key lengths may be undesirable
 385 # for certification path building and validation.  For example, "MD2" is
 386 # generally no longer considered to be a secure hash algorithm.  This section
 387 # describes the mechanism for disabling algorithms based on algorithm name
 388 # and/or key length.  This includes algorithms used in certificates, as well
 389 # as revocation information such as CRLs and signed OCSP Responses.
 390 #
 391 # The syntax of the disabled algorithm string is described as this Java
 392 # BNF-style:
 393 #   DisabledAlgorithms:
 394 #       " DisabledAlgorithm { , DisabledAlgorithm } "
 395 #
 396 #   DisabledAlgorithm:
 397 #       AlgorithmName [Constraint]
 398 #
 399 #   AlgorithmName:
 400 #       (see below)
 401 #