362 # property is ignored.
363 #
364 # Example,
365 # ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
366
367 #
368 # Serial number of the OCSP responder's certificate
369 #
370 # By default, the certificate of the OCSP responder is that of the issuer
371 # of the certificate being validated. This property identifies the certificate
372 # of the OCSP responder when the default does not apply. Its value is a string
373 # of hexadecimal digits (colon or space separators may be present) which
374 # identifies a certificate in the set of certificates supplied during cert path
375 # validation. When this property is set then the "ocsp.responderCertIssuerName"
376 # property must also be set. When the "ocsp.responderCertSubjectName" property
377 # is set then this property is ignored.
378 #
379 # Example,
380 # ocsp.responderCertSerialNumber=2A:FF:00
381
382 #
383 # Policy for failed Kerberos KDC lookups:
384 #
385 # When a KDC is unavailable (network error, service failure, etc), it is
386 # put inside a blacklist and accessed less often for future requests. The
387 # value (case-insensitive) for this policy can be:
388 #
389 # tryLast
390 # KDCs in the blacklist are always tried after those not on the list.
391 #
392 # tryLess[:max_retries,timeout]
393 # KDCs in the blacklist are still tried by their order in the configuration,
394 # but with smaller max_retries and timeout values. max_retries and timeout
395 # are optional numerical parameters (default 1 and 5000, which means once
396 # and 5 seconds). Please notes that if any of the values defined here is
397 # more than what is defined in krb5.conf, it will be ignored.
398 #
399 # Whenever a KDC is detected as available, it is removed from the blacklist.
400 # The blacklist is reset when krb5.conf is reloaded. You can add
401 # refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
402 # reloaded whenever a JAAS authentication is attempted.
403 #
404 # Example,
405 # krb5.kdc.bad.policy = tryLast
406 # krb5.kdc.bad.policy = tryLess:2,2000
407 krb5.kdc.bad.policy = tryLast
408
409 # Algorithm restrictions for certification path (CertPath) processing
410 #
411 # In some environments, certain algorithms or key lengths may be undesirable
412 # for certification path building and validation. For example, "MD2" is
413 # generally no longer considered to be a secure hash algorithm. This section
414 # describes the mechanism for disabling algorithms based on algorithm name
415 # and/or key length. This includes algorithms used in certificates, as well
416 # as revocation information such as CRLs and signed OCSP Responses.
417 #
418 # The syntax of the disabled algorithm string is described as this Java
419 # BNF-style:
420 # DisabledAlgorithms:
421 # " DisabledAlgorithm { , DisabledAlgorithm } "
422 #
423 # DisabledAlgorithm:
424 # AlgorithmName [Constraint]
425 #
426 # AlgorithmName:
427 # (see below)
428 #
|
362 # property is ignored.
363 #
364 # Example,
365 # ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
366
367 #
368 # Serial number of the OCSP responder's certificate
369 #
370 # By default, the certificate of the OCSP responder is that of the issuer
371 # of the certificate being validated. This property identifies the certificate
372 # of the OCSP responder when the default does not apply. Its value is a string
373 # of hexadecimal digits (colon or space separators may be present) which
374 # identifies a certificate in the set of certificates supplied during cert path
375 # validation. When this property is set then the "ocsp.responderCertIssuerName"
376 # property must also be set. When the "ocsp.responderCertSubjectName" property
377 # is set then this property is ignored.
378 #
379 # Example,
380 # ocsp.responderCertSerialNumber=2A:FF:00
381
382 # Algorithm restrictions for certification path (CertPath) processing
383 #
384 # In some environments, certain algorithms or key lengths may be undesirable
385 # for certification path building and validation. For example, "MD2" is
386 # generally no longer considered to be a secure hash algorithm. This section
387 # describes the mechanism for disabling algorithms based on algorithm name
388 # and/or key length. This includes algorithms used in certificates, as well
389 # as revocation information such as CRLs and signed OCSP Responses.
390 #
391 # The syntax of the disabled algorithm string is described as this Java
392 # BNF-style:
393 # DisabledAlgorithms:
394 # " DisabledAlgorithm { , DisabledAlgorithm } "
395 #
396 # DisabledAlgorithm:
397 # AlgorithmName [Constraint]
398 #
399 # AlgorithmName:
400 # (see below)
401 #
|