< prev index next >

src/java.base/share/conf/security/java.security

Print this page 
rev 54745 : 8215032: Support Kerberos cross-realm referrals (RFC 6806)
Reviewed-by: weijun


 458 #
 459 # tryLess[:max_retries,timeout]
 460 #    KDCs in the blacklist are still tried by their order in the configuration,
 461 #    but with smaller max_retries and timeout values. max_retries and timeout
 462 #    are optional numerical parameters (default 1 and 5000, which means once
 463 #    and 5 seconds). Please notes that if any of the values defined here is
 464 #    more than what is defined in krb5.conf, it will be ignored.
 465 #
 466 # Whenever a KDC is detected as available, it is removed from the blacklist.
 467 # The blacklist is reset when krb5.conf is reloaded. You can add
 468 # refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
 469 # reloaded whenever a JAAS authentication is attempted.
 470 #
 471 # Example,
 472 #   krb5.kdc.bad.policy = tryLast
 473 #   krb5.kdc.bad.policy = tryLess:2,2000
 474 #
 475 krb5.kdc.bad.policy = tryLast
 476 
 477 #

























 478 # Algorithm restrictions for certification path (CertPath) processing
 479 #
 480 # In some environments, certain algorithms or key lengths may be undesirable
 481 # for certification path building and validation.  For example, "MD2" is
 482 # generally no longer considered to be a secure hash algorithm.  This section
 483 # describes the mechanism for disabling algorithms based on algorithm name
 484 # and/or key length.  This includes algorithms used in certificates, as well
 485 # as revocation information such as CRLs and signed OCSP Responses.
 486 # The syntax of the disabled algorithm string is described as follows:
 487 #   DisabledAlgorithms:
 488 #       " DisabledAlgorithm { , DisabledAlgorithm } "
 489 #
 490 #   DisabledAlgorithm:
 491 #       AlgorithmName [Constraint] { '&' Constraint }
 492 #
 493 #   AlgorithmName:
 494 #       (see below)
 495 #
 496 #   Constraint:
 497 #       KeySizeConstraint | CAConstraint | DenyAfterConstraint |




 458 #
 459 # tryLess[:max_retries,timeout]
 460 #    KDCs in the blacklist are still tried by their order in the configuration,
 461 #    but with smaller max_retries and timeout values. max_retries and timeout
 462 #    are optional numerical parameters (default 1 and 5000, which means once
 463 #    and 5 seconds). Please notes that if any of the values defined here is
 464 #    more than what is defined in krb5.conf, it will be ignored.
 465 #
 466 # Whenever a KDC is detected as available, it is removed from the blacklist.
 467 # The blacklist is reset when krb5.conf is reloaded. You can add
 468 # refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
 469 # reloaded whenever a JAAS authentication is attempted.
 470 #
 471 # Example,
 472 #   krb5.kdc.bad.policy = tryLast
 473 #   krb5.kdc.bad.policy = tryLess:2,2000
 474 #
 475 krb5.kdc.bad.policy = tryLast
 476 
 477 #
 478 # Kerberos cross-realm referrals (RFC 6806)
 479 #
 480 # OpenJDK's Kerberos client supports cross-realm referrals as defined in
 481 # RFC 6806. This allows to setup more dynamic environments in which clients
 482 # do not need to know in advance how to reach the realm of a target principal
 483 # (either a user or service).
 484 #
 485 # When a client issues an AS or a TGS request, the "canonicalize" option
 486 # is set to announce support of this feature. A KDC server may fulfill the
 487 # request or reply referring the client to a different one. If referred,
 488 # the client will issue a new request and the cycle repeats.
 489 #
 490 # In addition to referrals, the "canonicalize" option allows the KDC server
 491 # to change the client name in response to an AS request. For security reasons,
 492 # RFC 6806 (section 11) FAST scheme is enforced.
 493 #
 494 # Disable Kerberos cross-realm referrals. Value may be ovewritten with a
 495 # System property (-Dsun.security.krb5.disableReferrals).
 496 sun.security.krb5.disableReferrals=false
 497 
 498 # Maximum number of AS or TGS referrals to avoid infite loops. Value may
 499 # be ovewritten with a System property (-Dsun.security.krb5.maxReferrals).
 500 sun.security.krb5.maxReferrals=5
 501 
 502 #
 503 # Algorithm restrictions for certification path (CertPath) processing
 504 #
 505 # In some environments, certain algorithms or key lengths may be undesirable
 506 # for certification path building and validation.  For example, "MD2" is
 507 # generally no longer considered to be a secure hash algorithm.  This section
 508 # describes the mechanism for disabling algorithms based on algorithm name
 509 # and/or key length.  This includes algorithms used in certificates, as well
 510 # as revocation information such as CRLs and signed OCSP Responses.
 511 # The syntax of the disabled algorithm string is described as follows:
 512 #   DisabledAlgorithms:
 513 #       " DisabledAlgorithm { , DisabledAlgorithm } "
 514 #
 515 #   DisabledAlgorithm:
 516 #       AlgorithmName [Constraint] { '&' Constraint }
 517 #
 518 #   AlgorithmName:
 519 #       (see below)
 520 #
 521 #   Constraint:
 522 #       KeySizeConstraint | CAConstraint | DenyAfterConstraint |
< prev index next >