458 #
459 # tryLess[:max_retries,timeout]
460 # KDCs in the blacklist are still tried by their order in the configuration,
461 # but with smaller max_retries and timeout values. max_retries and timeout
462 # are optional numerical parameters (default 1 and 5000, which means once
463 # and 5 seconds). Please notes that if any of the values defined here is
464 # more than what is defined in krb5.conf, it will be ignored.
465 #
466 # Whenever a KDC is detected as available, it is removed from the blacklist.
467 # The blacklist is reset when krb5.conf is reloaded. You can add
468 # refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
469 # reloaded whenever a JAAS authentication is attempted.
470 #
471 # Example,
472 # krb5.kdc.bad.policy = tryLast
473 # krb5.kdc.bad.policy = tryLess:2,2000
474 #
475 krb5.kdc.bad.policy = tryLast
476
477 #
478 # Algorithm restrictions for certification path (CertPath) processing
479 #
480 # In some environments, certain algorithms or key lengths may be undesirable
481 # for certification path building and validation. For example, "MD2" is
482 # generally no longer considered to be a secure hash algorithm. This section
483 # describes the mechanism for disabling algorithms based on algorithm name
484 # and/or key length. This includes algorithms used in certificates, as well
485 # as revocation information such as CRLs and signed OCSP Responses.
486 # The syntax of the disabled algorithm string is described as follows:
487 # DisabledAlgorithms:
488 # " DisabledAlgorithm { , DisabledAlgorithm } "
489 #
490 # DisabledAlgorithm:
491 # AlgorithmName [Constraint] { '&' Constraint }
492 #
493 # AlgorithmName:
494 # (see below)
495 #
496 # Constraint:
497 # KeySizeConstraint | CAConstraint | DenyAfterConstraint |
|
458 #
459 # tryLess[:max_retries,timeout]
460 # KDCs in the blacklist are still tried by their order in the configuration,
461 # but with smaller max_retries and timeout values. max_retries and timeout
462 # are optional numerical parameters (default 1 and 5000, which means once
463 # and 5 seconds). Please notes that if any of the values defined here is
464 # more than what is defined in krb5.conf, it will be ignored.
465 #
466 # Whenever a KDC is detected as available, it is removed from the blacklist.
467 # The blacklist is reset when krb5.conf is reloaded. You can add
468 # refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
469 # reloaded whenever a JAAS authentication is attempted.
470 #
471 # Example,
472 # krb5.kdc.bad.policy = tryLast
473 # krb5.kdc.bad.policy = tryLess:2,2000
474 #
475 krb5.kdc.bad.policy = tryLast
476
477 #
478 # Kerberos cross-realm referrals (RFC 6806)
479 #
480 # OpenJDK's Kerberos client supports cross-realm referrals as defined in
481 # RFC 6806. This allows to setup more dynamic environments in which clients
482 # do not need to know in advance how to reach the realm of a target principal
483 # (either a user or service).
484 #
485 # When a client issues an AS or a TGS request, the "canonicalize" option
486 # is set to announce support of this feature. A KDC server may fulfill the
487 # request or reply referring the client to a different one. If referred,
488 # the client will issue a new request and the cycle repeats.
489 #
490 # In addition to referrals, the "canonicalize" option allows the KDC server
491 # to change the client name in response to an AS request. For security reasons,
492 # RFC 6806 (section 11) FAST scheme is enforced.
493 #
494 # Disable Kerberos cross-realm referrals. Value may be ovewritten with a
495 # System property (-Dsun.security.krb5.disableReferrals).
496 sun.security.krb5.disableReferrals=false
497
498 # Maximum number of AS or TGS referrals to avoid infite loops. Value may
499 # be ovewritten with a System property (-Dsun.security.krb5.maxReferrals).
500 sun.security.krb5.maxReferrals=5
501
502 #
503 # Algorithm restrictions for certification path (CertPath) processing
504 #
505 # In some environments, certain algorithms or key lengths may be undesirable
506 # for certification path building and validation. For example, "MD2" is
507 # generally no longer considered to be a secure hash algorithm. This section
508 # describes the mechanism for disabling algorithms based on algorithm name
509 # and/or key length. This includes algorithms used in certificates, as well
510 # as revocation information such as CRLs and signed OCSP Responses.
511 # The syntax of the disabled algorithm string is described as follows:
512 # DisabledAlgorithms:
513 # " DisabledAlgorithm { , DisabledAlgorithm } "
514 #
515 # DisabledAlgorithm:
516 # AlgorithmName [Constraint] { '&' Constraint }
517 #
518 # AlgorithmName:
519 # (see below)
520 #
521 # Constraint:
522 # KeySizeConstraint | CAConstraint | DenyAfterConstraint |
|