1 # 2 # This is the "master security properties file". 3 # 4 # An alternate java.security properties file may be specified 5 # from the command line via the system property 6 # 7 # -Djava.security.properties=<URL> 8 # 9 # This properties file appends to the master security properties file. 10 # If both properties files specify values for the same key, the value 11 # from the command-line properties file is selected, as it is the last 12 # one loaded. 13 # 14 # Also, if you specify 15 # 16 # -Djava.security.properties==<URL> (2 equals), 17 # 18 # then that properties file completely overrides the master security 19 # properties file. 20 # 21 # To disable the ability to specify an additional properties file from 22 # the command line, set the key security.overridePropertiesFile 23 # to false in the master security properties file. It is set to true 24 # by default. 25 26 # In this file, various security properties are set for use by 27 # java.security classes. This is where users can statically register 28 # Cryptography Package Providers ("providers" for short). The term 29 # "provider" refers to a package or set of packages that supply a 30 # concrete implementation of a subset of the cryptography aspects of 31 # the Java Security API. A provider may, for example, implement one or 32 # more digital signature algorithms or message digest algorithms. 33 # 34 # Each provider must implement a subclass of the Provider class. 35 # To register a provider in this master security properties file, 36 # specify the provider and priority in the format 37 # 38 # security.provider.<n>=<provName | className> 39 # 40 # This declares a provider, and specifies its preference 41 # order n. The preference order is the order in which providers are 42 # searched for requested algorithms (when no specific provider is 43 # requested). The order is 1-based; 1 is the most preferred, followed 44 # by 2, and so on. 45 # 46 # <provName> must specify the name of the Provider as passed to its super 47 # class java.security.Provider constructor. This is for providers loaded 48 # through the ServiceLoader mechanism. 49 # 50 # <className> must specify the subclass of the Provider class whose 51 # constructor sets the values of various properties that are required 52 # for the Java Security API to look up the algorithms or other 53 # facilities implemented by the provider. This is for providers loaded 54 # through classpath. 55 # 56 # Note: Providers can be dynamically registered instead by calls to 57 # either the addProvider or insertProviderAt method in the Security 58 # class. 59 60 # 61 # List of providers and their preference orders (see above): 62 # 63 #ifdef solaris 64 security.provider.tbd=OracleUcrypto 65 security.provider.tbd=SunPKCS11 ${java.home}/conf/security/sunpkcs11-solaris.cfg 66 #endif 67 security.provider.tbd=SUN 68 security.provider.tbd=SunRsaSign 69 security.provider.tbd=SunEC 70 security.provider.tbd=SunJSSE 71 security.provider.tbd=SunJCE 72 security.provider.tbd=SunJGSS 73 security.provider.tbd=SunSASL 74 security.provider.tbd=XMLDSig 75 security.provider.tbd=SunPCSC 76 security.provider.tbd=JdkLDAP 77 security.provider.tbd=JdkSASL 78 #ifdef windows 79 security.provider.tbd=SunMSCAPI 80 #endif 81 #ifdef macosx 82 security.provider.tbd=Apple 83 #endif 84 #ifndef solaris 85 security.provider.tbd=SunPKCS11 86 #endif 87 88 # 89 # A list of preferred providers for specific algorithms. These providers will 90 # be searched for matching algorithms before the list of registered providers. 91 # Entries containing errors (parsing, etc) will be ignored. Use the 92 # -Djava.security.debug=jca property to debug these errors. 93 # 94 # The property is a comma-separated list of serviceType.algorithm:provider 95 # entries. The serviceType (example: "MessageDigest") is optional, and if 96 # not specified, the algorithm applies to all service types that support it. 97 # The algorithm is the standard algorithm name or transformation. 98 # Transformations can be specified in their full standard name 99 # (ex: AES/CBC/PKCS5Padding), or as partial matches (ex: AES, AES/CBC). 100 # The provider is the name of the provider. Any provider that does not 101 # also appear in the registered list will be ignored. 102 # 103 # There is a special serviceType for this property only to group a set of 104 # algorithms together. The type is "Group" and is followed by an algorithm 105 # keyword. Groups are to simplify and lessen the entries on the property 106 # line. Current groups are: 107 # Group.SHA2 = SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256 108 # Group.HmacSHA2 = HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512 109 # Group.SHA2RSA = SHA224withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA 110 # Group.SHA2DSA = SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA 111 # Group.SHA2ECDSA = SHA224withECDSA, SHA256withECDSA, SHA384withECDSA, \ 112 # SHA512withECDSA 113 # Group.SHA3 = SHA3-224, SHA3-256, SHA3-384, SHA3-512 114 # Group.HmacSHA3 = HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512 115 # 116 # Example: 117 # jdk.security.provider.preferred=AES/GCM/NoPadding:SunJCE, \ 118 # MessageDigest.SHA-256:SUN, Group.HmacSHA2:SunJCE 119 # 120 #ifdef solaris-sparc 121 # Optional Solaris-SPARC configuration for non-FIPS 140 configurations. 122 # jdk.security.provider.preferred=AES:SunJCE, SHA1:SUN, Group.SHA2:SUN, \ 123 # HmacSHA1:SunJCE, Group.HmacSHA2:SunJCE 124 # 125 #endif 126 #jdk.security.provider.preferred= 127 128 129 # 130 # Sun Provider SecureRandom seed source. 131 # 132 # Select the primary source of seed data for the "NativePRNG", "SHA1PRNG" 133 # and "DRBG" SecureRandom implementations in the "Sun" provider. 134 # (Other SecureRandom implementations might also use this property.) 135 # 136 # On Unix-like systems (for example, Solaris/Linux/MacOS), the 137 # "NativePRNG", "SHA1PRNG" and "DRBG" implementations obtains seed data from 138 # special device files such as file:/dev/random. 139 # 140 # On Windows systems, specifying the URLs "file:/dev/random" or 141 # "file:/dev/urandom" will enable the native Microsoft CryptoAPI seeding 142 # mechanism for SHA1PRNG and DRBG. 143 # 144 # By default, an attempt is made to use the entropy gathering device 145 # specified by the "securerandom.source" Security property. If an 146 # exception occurs while accessing the specified URL: 147 # 148 # NativePRNG: 149 # a default value of /dev/random will be used. If neither 150 # are available, the implementation will be disabled. 151 # "file" is the only currently supported protocol type. 152 # 153 # SHA1PRNG and DRBG: 154 # the traditional system/thread activity algorithm will be used. 155 # 156 # The entropy gathering device can also be specified with the System 157 # property "java.security.egd". For example: 158 # 159 # % java -Djava.security.egd=file:/dev/random MainClass 160 # 161 # Specifying this System property will override the 162 # "securerandom.source" Security property. 163 # 164 # In addition, if "file:/dev/random" or "file:/dev/urandom" is 165 # specified, the "NativePRNG" implementation will be more preferred than 166 # DRBG and SHA1PRNG in the Sun provider. 167 # 168 securerandom.source=file:/dev/random 169 170 # 171 # A list of known strong SecureRandom implementations. 172 # 173 # To help guide applications in selecting a suitable strong 174 # java.security.SecureRandom implementation, Java distributions should 175 # indicate a list of known strong implementations using the property. 176 # 177 # This is a comma-separated list of algorithm and/or algorithm:provider 178 # entries. 179 # 180 #ifdef windows 181 securerandom.strongAlgorithms=Windows-PRNG:SunMSCAPI,DRBG:SUN 182 #endif 183 #ifndef windows 184 securerandom.strongAlgorithms=NativePRNGBlocking:SUN,DRBG:SUN 185 #endif 186 187 # 188 # Sun provider DRBG configuration and default instantiation request. 189 # 190 # NIST SP 800-90Ar1 lists several DRBG mechanisms. Each can be configured 191 # with a DRBG algorithm name, and can be instantiated with a security strength, 192 # prediction resistance support, etc. This property defines the configuration 193 # and the default instantiation request of "DRBG" SecureRandom implementations 194 # in the SUN provider. (Other DRBG implementations can also use this property.) 195 # Applications can request different instantiation parameters like security 196 # strength, capability, personalization string using one of the 197 # getInstance(...,SecureRandomParameters,...) methods with a 198 # DrbgParameters.Instantiation argument, but other settings such as the 199 # mechanism and DRBG algorithm names are not currently configurable by any API. 200 # 201 # Please note that the SUN implementation of DRBG always supports reseeding. 202 # 203 # The value of this property is a comma-separated list of all configurable 204 # aspects. The aspects can appear in any order but the same aspect can only 205 # appear at most once. Its BNF-style definition is: 206 # 207 # Value: 208 # aspect { "," aspect } 209 # 210 # aspect: 211 # mech_name | algorithm_name | strength | capability | df 212 # 213 # // The DRBG mechanism to use. Default "Hash_DRBG" 214 # mech_name: 215 # "Hash_DRBG" | "HMAC_DRBG" | "CTR_DRBG" 216 # 217 # // The DRBG algorithm name. The "SHA-***" names are for Hash_DRBG and 218 # // HMAC_DRBG, default "SHA-256". The "AES-***" names are for CTR_DRBG, 219 # // default "AES-128" when using the limited cryptographic or "AES-256" 220 # // when using the unlimited. 221 # algorithm_name: 222 # "SHA-224" | "SHA-512/224" | "SHA-256" | 223 # "SHA-512/256" | "SHA-384" | "SHA-512" | 224 # "AES-128" | "AES-192" | "AES-256" 225 # 226 # // Security strength requested. Default "128" 227 # strength: 228 # "112" | "128" | "192" | "256" 229 # 230 # // Prediction resistance and reseeding request. Default "none" 231 # // "pr_and_reseed" - Both prediction resistance and reseeding 232 # // support requested 233 # // "reseed_only" - Only reseeding support requested 234 # // "none" - Neither prediction resistance not reseeding 235 # // support requested 236 # pr: 237 # "pr_and_reseed" | "reseed_only" | "none" 238 # 239 # // Whether a derivation function should be used. only applicable 240 # // to CTR_DRBG. Default "use_df" 241 # df: 242 # "use_df" | "no_df" 243 # 244 # Examples, 245 # securerandom.drbg.config=Hash_DRBG,SHA-224,112,none 246 # securerandom.drbg.config=CTR_DRBG,AES-256,192,pr_and_reseed,use_df 247 # 248 # The default value is an empty string, which is equivalent to 249 # securerandom.drbg.config=Hash_DRBG,SHA-256,128,none 250 # 251 securerandom.drbg.config= 252 253 # 254 # Class to instantiate as the javax.security.auth.login.Configuration 255 # provider. 256 # 257 login.configuration.provider=sun.security.provider.ConfigFile 258 259 # 260 # Default login configuration file 261 # 262 #login.config.url.1=file:${user.home}/.java.login.config 263 264 # 265 # Class to instantiate as the system Policy. This is the name of the class 266 # that will be used as the Policy object. The system class loader is used to 267 # locate this class. 268 # 269 policy.provider=sun.security.provider.PolicyFile 270 271 # The default is to have a single system-wide policy file, 272 # and a policy file in the user's home directory. 273 # 274 policy.url.1=file:${java.home}/conf/security/java.policy 275 policy.url.2=file:${user.home}/.java.policy 276 277 # whether or not we expand properties in the policy file 278 # if this is set to false, properties (${...}) will not be expanded in policy 279 # files. 280 # 281 policy.expandProperties=true 282 283 # whether or not we allow an extra policy to be passed on the command line 284 # with -Djava.security.policy=somefile. Comment out this line to disable 285 # this feature. 286 # 287 policy.allowSystemProperty=true 288 289 # whether or not we look into the IdentityScope for trusted Identities 290 # when encountering a 1.1 signed JAR file. If the identity is found 291 # and is trusted, we grant it AllPermission. Note: the default policy 292 # provider (sun.security.provider.PolicyFile) does not support this property. 293 # 294 policy.ignoreIdentityScope=false 295 296 # 297 # Default keystore type. 298 # 299 keystore.type=pkcs12 300 301 # 302 # Controls compatibility mode for JKS and PKCS12 keystore types. 303 # 304 # When set to 'true', both JKS and PKCS12 keystore types support loading 305 # keystore files in either JKS or PKCS12 format. When set to 'false' the 306 # JKS keystore type supports loading only JKS keystore files and the PKCS12 307 # keystore type supports loading only PKCS12 keystore files. 308 # 309 keystore.type.compat=true 310 311 # 312 # List of comma-separated packages that start with or equal this string 313 # will cause a security exception to be thrown when passed to the 314 # SecurityManager::checkPackageAccess method unless the corresponding 315 # RuntimePermission("accessClassInPackage."+package) has been granted. 316 # 317 package.access=sun.misc.,\ 318 sun.reflect.,\ 319 320 # 321 # List of comma-separated packages that start with or equal this string 322 # will cause a security exception to be thrown when passed to the 323 # SecurityManager::checkPackageDefinition method unless the corresponding 324 # RuntimePermission("defineClassInPackage."+package) has been granted. 325 # 326 # By default, none of the class loaders supplied with the JDK call 327 # checkPackageDefinition. 328 # 329 package.definition=sun.misc.,\ 330 sun.reflect.,\ 331 332 # 333 # Determines whether this properties file can be appended to 334 # or overridden on the command line via -Djava.security.properties 335 # 336 security.overridePropertiesFile=true 337 338 # 339 # Determines the default key and trust manager factory algorithms for 340 # the javax.net.ssl package. 341 # 342 ssl.KeyManagerFactory.algorithm=SunX509 343 ssl.TrustManagerFactory.algorithm=PKIX 344 345 # 346 # The Java-level namelookup cache policy for successful lookups: 347 # 348 # any negative value: caching forever 349 # any positive value: the number of seconds to cache an address for 350 # zero: do not cache 351 # 352 # default value is forever (FOREVER). For security reasons, this 353 # caching is made forever when a security manager is set. When a security 354 # manager is not set, the default behavior in this implementation 355 # is to cache for 30 seconds. 356 # 357 # NOTE: setting this to anything other than the default value can have 358 # serious security implications. Do not set it unless 359 # you are sure you are not exposed to DNS spoofing attack. 360 # 361 #networkaddress.cache.ttl=-1 362 363 # The Java-level namelookup cache policy for failed lookups: 364 # 365 # any negative value: cache forever 366 # any positive value: the number of seconds to cache negative lookup results 367 # zero: do not cache 368 # 369 # In some Microsoft Windows networking environments that employ 370 # the WINS name service in addition to DNS, name service lookups 371 # that fail may take a noticeably long time to return (approx. 5 seconds). 372 # For this reason the default caching policy is to maintain these 373 # results for 10 seconds. 374 # 375 networkaddress.cache.negative.ttl=10 376 377 # 378 # Properties to configure OCSP for certificate revocation checking 379 # 380 381 # Enable OCSP 382 # 383 # By default, OCSP is not used for certificate revocation checking. 384 # This property enables the use of OCSP when set to the value "true". 385 # 386 # NOTE: SocketPermission is required to connect to an OCSP responder. 387 # 388 # Example, 389 # ocsp.enable=true 390 391 # 392 # Location of the OCSP responder 393 # 394 # By default, the location of the OCSP responder is determined implicitly 395 # from the certificate being validated. This property explicitly specifies 396 # the location of the OCSP responder. The property is used when the 397 # Authority Information Access extension (defined in RFC 5280) is absent 398 # from the certificate or when it requires overriding. 399 # 400 # Example, 401 # ocsp.responderURL=http://ocsp.example.net:80 402 403 # 404 # Subject name of the OCSP responder's certificate 405 # 406 # By default, the certificate of the OCSP responder is that of the issuer 407 # of the certificate being validated. This property identifies the certificate 408 # of the OCSP responder when the default does not apply. Its value is a string 409 # distinguished name (defined in RFC 2253) which identifies a certificate in 410 # the set of certificates supplied during cert path validation. In cases where 411 # the subject name alone is not sufficient to uniquely identify the certificate 412 # then both the "ocsp.responderCertIssuerName" and 413 # "ocsp.responderCertSerialNumber" properties must be used instead. When this 414 # property is set then those two properties are ignored. 415 # 416 # Example, 417 # ocsp.responderCertSubjectName=CN=OCSP Responder, O=XYZ Corp 418 419 # 420 # Issuer name of the OCSP responder's certificate 421 # 422 # By default, the certificate of the OCSP responder is that of the issuer 423 # of the certificate being validated. This property identifies the certificate 424 # of the OCSP responder when the default does not apply. Its value is a string 425 # distinguished name (defined in RFC 2253) which identifies a certificate in 426 # the set of certificates supplied during cert path validation. When this 427 # property is set then the "ocsp.responderCertSerialNumber" property must also 428 # be set. When the "ocsp.responderCertSubjectName" property is set then this 429 # property is ignored. 430 # 431 # Example, 432 # ocsp.responderCertIssuerName=CN=Enterprise CA, O=XYZ Corp 433 434 # 435 # Serial number of the OCSP responder's certificate 436 # 437 # By default, the certificate of the OCSP responder is that of the issuer 438 # of the certificate being validated. This property identifies the certificate 439 # of the OCSP responder when the default does not apply. Its value is a string 440 # of hexadecimal digits (colon or space separators may be present) which 441 # identifies a certificate in the set of certificates supplied during cert path 442 # validation. When this property is set then the "ocsp.responderCertIssuerName" 443 # property must also be set. When the "ocsp.responderCertSubjectName" property 444 # is set then this property is ignored. 445 # 446 # Example, 447 # ocsp.responderCertSerialNumber=2A:FF:00 448 449 # 450 # Policy for failed Kerberos KDC lookups: 451 # 452 # When a KDC is unavailable (network error, service failure, etc), it is 453 # put inside a blacklist and accessed less often for future requests. The 454 # value (case-insensitive) for this policy can be: 455 # 456 # tryLast 457 # KDCs in the blacklist are always tried after those not on the list. 458 # 459 # tryLess[:max_retries,timeout] 460 # KDCs in the blacklist are still tried by their order in the configuration, 461 # but with smaller max_retries and timeout values. max_retries and timeout 462 # are optional numerical parameters (default 1 and 5000, which means once 463 # and 5 seconds). Please notes that if any of the values defined here is 464 # more than what is defined in krb5.conf, it will be ignored. 465 # 466 # Whenever a KDC is detected as available, it is removed from the blacklist. 467 # The blacklist is reset when krb5.conf is reloaded. You can add 468 # refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is 469 # reloaded whenever a JAAS authentication is attempted. 470 # 471 # Example, 472 # krb5.kdc.bad.policy = tryLast 473 # krb5.kdc.bad.policy = tryLess:2,2000 474 # 475 krb5.kdc.bad.policy = tryLast 476 477 # 478 # Kerberos cross-realm referrals (RFC 6806) 479 # 480 # OpenJDK's Kerberos client supports cross-realm referrals as defined in 481 # RFC 6806. This allows to setup more dynamic environments in which clients 482 # do not need to know in advance how to reach the realm of a target principal 483 # (either a user or service). 484 # 485 # When a client issues an AS or a TGS request, the "canonicalize" option 486 # is set to announce support of this feature. A KDC server may fulfill the 487 # request or reply referring the client to a different one. If referred, 488 # the client will issue a new request and the cycle repeats. 489 # 490 # In addition to referrals, the "canonicalize" option allows the KDC server 491 # to change the client name in response to an AS request. For security reasons, 492 # RFC 6806 (section 11) FAST scheme is enforced. 493 # 494 # Disable Kerberos cross-realm referrals. Value may be overwritten with a 495 # System property (-Dsun.security.krb5.disableReferrals). 496 sun.security.krb5.disableReferrals=false 497 498 # Maximum number of AS or TGS referrals to avoid infinite loops. Value may 499 # be overwritten with a System property (-Dsun.security.krb5.maxReferrals). 500 sun.security.krb5.maxReferrals=5 501 502 # 503 # This property contains a list of disabled EC Named Curves that can be included 504 # in the jdk.[tls|certpath|jar].disabledAlgorithms properties. To include this 505 # list in any of the disabledAlgorithms properties, add the property name as 506 # an entry. 507 jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, \ 508 secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, \ 509 secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, \ 510 sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, \ 511 sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, \ 512 sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, \ 513 X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, \ 514 X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, \ 515 X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, \ 516 brainpoolP320r1, brainpoolP384r1, brainpoolP512r1 517 518 # 519 # Algorithm restrictions for certification path (CertPath) processing 520 # 521 # In some environments, certain algorithms or key lengths may be undesirable 522 # for certification path building and validation. For example, "MD2" is 523 # generally no longer considered to be a secure hash algorithm. This section 524 # describes the mechanism for disabling algorithms based on algorithm name 525 # and/or key length. This includes algorithms used in certificates, as well 526 # as revocation information such as CRLs and signed OCSP Responses. 527 # The syntax of the disabled algorithm string is described as follows: 528 # DisabledAlgorithms: 529 # " DisabledAlgorithm { , DisabledAlgorithm } " 530 # 531 # DisabledAlgorithm: 532 # AlgorithmName [Constraint] { '&' Constraint } | IncludeProperty 533 # 534 # AlgorithmName: 535 # (see below) 536 # 537 # Constraint: 538 # KeySizeConstraint | CAConstraint | DenyAfterConstraint | 539 # UsageConstraint 540 # 541 # KeySizeConstraint: 542 # keySize Operator KeyLength 543 # 544 # Operator: 545 # <= | < | == | != | >= | > 546 # 547 # KeyLength: 548 # Integer value of the algorithm's key length in bits 549 # 550 # CAConstraint: 551 # jdkCA 552 # 553 # DenyAfterConstraint: 554 # denyAfter YYYY-MM-DD 555 # 556 # UsageConstraint: 557 # usage [TLSServer] [TLSClient] [SignedJAR] 558 # 559 # IncludeProperty: 560 # include <security property> 561 # 562 # The "AlgorithmName" is the standard algorithm name of the disabled 563 # algorithm. See the Java Security Standard Algorithm Names Specification 564 # for information about Standard Algorithm Names. Matching is 565 # performed using a case-insensitive sub-element matching rule. (For 566 # example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and 567 # "ECDSA" for signatures.) If the assertion "AlgorithmName" is a 568 # sub-element of the certificate algorithm name, the algorithm will be 569 # rejected during certification path building and validation. For example, 570 # the assertion algorithm name "DSA" will disable all certificate algorithms 571 # that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion 572 # will not disable algorithms related to "ECDSA". 573 # 574 # The "IncludeProperty" allows a implementation-defined security property that 575 # can be included in the disabledAlgorithms properties. These properties are 576 # to help manage common actions easier across multiple disabledAlgorithm 577 # properties. 578 # There is one defined security property: jdk.disabled.NamedCurves 579 # See the property for more specific details. 580 # 581 # 582 # A "Constraint" defines restrictions on the keys and/or certificates for 583 # a specified AlgorithmName: 584 # 585 # KeySizeConstraint: 586 # keySize Operator KeyLength 587 # The constraint requires a key of a valid size range if the 588 # "AlgorithmName" is of a key algorithm. The "KeyLength" indicates 589 # the key size specified in number of bits. For example, 590 # "RSA keySize <= 1024" indicates that any RSA key with key size less 591 # than or equal to 1024 bits should be disabled, and 592 # "RSA keySize < 1024, RSA keySize > 2048" indicates that any RSA key 593 # with key size less than 1024 or greater than 2048 should be disabled. 594 # This constraint is only used on algorithms that have a key size. 595 # 596 # CAConstraint: 597 # jdkCA 598 # This constraint prohibits the specified algorithm only if the 599 # algorithm is used in a certificate chain that terminates at a marked 600 # trust anchor in the lib/security/cacerts keystore. If the jdkCA 601 # constraint is not set, then all chains using the specified algorithm 602 # are restricted. jdkCA may only be used once in a DisabledAlgorithm 603 # expression. 604 # Example: To apply this constraint to SHA-1 certificates, include 605 # the following: "SHA1 jdkCA" 606 # 607 # DenyAfterConstraint: 608 # denyAfter YYYY-MM-DD 609 # This constraint prohibits a certificate with the specified algorithm 610 # from being used after the date regardless of the certificate's 611 # validity. JAR files that are signed and timestamped before the 612 # constraint date with certificates containing the disabled algorithm 613 # will not be restricted. The date is processed in the UTC timezone. 614 # This constraint can only be used once in a DisabledAlgorithm 615 # expression. 616 # Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020, 617 # use the following: "RSA keySize == 2048 & denyAfter 2020-02-03" 618 # 619 # UsageConstraint: 620 # usage [TLSServer] [TLSClient] [SignedJAR] 621 # This constraint prohibits the specified algorithm for 622 # a specified usage. This should be used when disabling an algorithm 623 # for all usages is not practical. 'TLSServer' restricts the algorithm 624 # in TLS server certificate chains when server authentication is 625 # performed. 'TLSClient' restricts the algorithm in TLS client 626 # certificate chains when client authentication is performed. 627 # 'SignedJAR' constrains use of certificates in signed jar files. 628 # The usage type follows the keyword and more than one usage type can 629 # be specified with a whitespace delimiter. 630 # Example: "SHA1 usage TLSServer TLSClient" 631 # 632 # When an algorithm must satisfy more than one constraint, it must be 633 # delimited by an ampersand '&'. For example, to restrict certificates in a 634 # chain that terminate at a distribution provided trust anchor and contain 635 # RSA keys that are less than or equal to 1024 bits, add the following 636 # constraint: "RSA keySize <= 1024 & jdkCA". 637 # 638 # All DisabledAlgorithms expressions are processed in the order defined in the 639 # property. This requires lower keysize constraints to be specified 640 # before larger keysize constraints of the same algorithm. For example: 641 # "RSA keySize < 1024 & jdkCA, RSA keySize < 2048". 642 # 643 # Note: The algorithm restrictions do not apply to trust anchors or 644 # self-signed certificates. 645 # 646 # Note: This property is currently used by Oracle's PKIX implementation. It 647 # is not guaranteed to be examined and used by other implementations. 648 # 649 # Example: 650 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 651 # 652 # 653 jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \ 654 RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \ 655 include jdk.disabled.namedCurves 656 657 # 658 # Legacy algorithms for certification path (CertPath) processing and 659 # signed JAR files. 660 # 661 # In some environments, a certain algorithm or key length may be undesirable 662 # but is not yet disabled. 663 # 664 # Tools such as keytool and jarsigner may emit warnings when these legacy 665 # algorithms are used. See the man pages for those tools for more information. 666 # 667 # The syntax is the same as the "jdk.certpath.disabledAlgorithms" and 668 # "jdk.jar.disabledAlgorithms" security properties. 669 # 670 # Note: This property is currently used by the JDK Reference 671 # implementation. It is not guaranteed to be examined and used by other 672 # implementations. 673 674 jdk.security.legacyAlgorithms=SHA1, \ 675 RSA keySize < 2048, DSA keySize < 2048 676 677 # 678 # Algorithm restrictions for signed JAR files 679 # 680 # In some environments, certain algorithms or key lengths may be undesirable 681 # for signed JAR validation. For example, "MD2" is generally no longer 682 # considered to be a secure hash algorithm. This section describes the 683 # mechanism for disabling algorithms based on algorithm name and/or key length. 684 # JARs signed with any of the disabled algorithms or key sizes will be treated 685 # as unsigned. 686 # 687 # The syntax of the disabled algorithm string is described as follows: 688 # DisabledAlgorithms: 689 # " DisabledAlgorithm { , DisabledAlgorithm } " 690 # 691 # DisabledAlgorithm: 692 # AlgorithmName [Constraint] { '&' Constraint } 693 # 694 # AlgorithmName: 695 # (see below) 696 # 697 # Constraint: 698 # KeySizeConstraint | DenyAfterConstraint 699 # 700 # KeySizeConstraint: 701 # keySize Operator KeyLength 702 # 703 # DenyAfterConstraint: 704 # denyAfter YYYY-MM-DD 705 # 706 # Operator: 707 # <= | < | == | != | >= | > 708 # 709 # KeyLength: 710 # Integer value of the algorithm's key length in bits 711 # 712 # Note: This property is currently used by the JDK Reference 713 # implementation. It is not guaranteed to be examined and used by other 714 # implementations. 715 # 716 # See "jdk.certpath.disabledAlgorithms" for syntax descriptions. 717 # 718 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ 719 DSA keySize < 1024, include jdk.disabled.namedCurves 720 721 # 722 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security 723 # (SSL/TLS/DTLS) processing 724 # 725 # In some environments, certain algorithms or key lengths may be undesirable 726 # when using SSL/TLS/DTLS. This section describes the mechanism for disabling 727 # algorithms during SSL/TLS/DTLS security parameters negotiation, including 728 # protocol version negotiation, cipher suites selection, named groups 729 # selection, signature schemes selection, peer authentication and key 730 # exchange mechanisms. 731 # 732 # Disabled algorithms will not be negotiated for SSL/TLS connections, even 733 # if they are enabled explicitly in an application. 734 # 735 # For PKI-based peer authentication and key exchange mechanisms, this list 736 # of disabled algorithms will also be checked during certification path 737 # building and validation, including algorithms used in certificates, as 738 # well as revocation information such as CRLs and signed OCSP Responses. 739 # This is in addition to the jdk.certpath.disabledAlgorithms property above. 740 # 741 # See the specification of "jdk.certpath.disabledAlgorithms" for the 742 # syntax of the disabled algorithm string. 743 # 744 # Note: The algorithm restrictions do not apply to trust anchors or 745 # self-signed certificates. 746 # 747 # Note: This property is currently used by the JDK Reference implementation. 748 # It is not guaranteed to be examined and used by other implementations. 749 # 750 # Example: 751 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \ 752 # rsa_pkcs1_sha1, secp224r1 753 jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ 754 DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ 755 include jdk.disabled.namedCurves 756 757 # 758 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) 759 # processing in JSSE implementation. 760 # 761 # In some environments, a certain algorithm may be undesirable but it 762 # cannot be disabled because of its use in legacy applications. Legacy 763 # algorithms may still be supported, but applications should not use them 764 # as the security strength of legacy algorithms are usually not strong enough 765 # in practice. 766 # 767 # During SSL/TLS security parameters negotiation, legacy algorithms will 768 # not be negotiated unless there are no other candidates. 769 # 770 # The syntax of the legacy algorithms string is described as this Java 771 # BNF-style: 772 # LegacyAlgorithms: 773 # " LegacyAlgorithm { , LegacyAlgorithm } " 774 # 775 # LegacyAlgorithm: 776 # AlgorithmName (standard JSSE algorithm name) 777 # 778 # See the specification of security property "jdk.certpath.disabledAlgorithms" 779 # for the syntax and description of the "AlgorithmName" notation. 780 # 781 # Per SSL/TLS specifications, cipher suites have the form: 782 # SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg 783 # or 784 # TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg 785 # 786 # For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the 787 # key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC 788 # mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest 789 # algorithm for HMAC. 790 # 791 # The LegacyAlgorithm can be one of the following standard algorithm names: 792 # 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA 793 # 2. JSSE key exchange algorithm name, e.g., RSA 794 # 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC 795 # 4. JSSE message digest algorithm name, e.g., SHA 796 # 797 # See SSL/TLS specifications and the Java Security Standard Algorithm Names 798 # Specification for information about the algorithm names. 799 # 800 # Note: If a legacy algorithm is also restricted through the 801 # jdk.tls.disabledAlgorithms property or the 802 # java.security.AlgorithmConstraints API (See 803 # javax.net.ssl.SSLParameters.setAlgorithmConstraints()), 804 # then the algorithm is completely disabled and will not be negotiated. 805 # 806 # Note: This property is currently used by the JDK Reference implementation. 807 # It is not guaranteed to be examined and used by other implementations. 808 # There is no guarantee the property will continue to exist or be of the 809 # same syntax in future releases. 810 # 811 # Example: 812 # jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5 813 # 814 jdk.tls.legacyAlgorithms= \ 815 K_NULL, C_NULL, M_NULL, \ 816 DH_anon, ECDH_anon, \ 817 RC4_128, RC4_40, DES_CBC, DES40_CBC, \ 818 3DES_EDE_CBC 819 820 # 821 # The pre-defined default finite field Diffie-Hellman ephemeral (DHE) 822 # parameters for Transport Layer Security (SSL/TLS/DTLS) processing. 823 # 824 # In traditional SSL/TLS/DTLS connections where finite field DHE parameters 825 # negotiation mechanism is not used, the server offers the client group 826 # parameters, base generator g and prime modulus p, for DHE key exchange. 827 # It is recommended to use dynamic group parameters. This property defines 828 # a mechanism that allows you to specify custom group parameters. 829 # 830 # The syntax of this property string is described as this Java BNF-style: 831 # DefaultDHEParameters: 832 # DefinedDHEParameters { , DefinedDHEParameters } 833 # 834 # DefinedDHEParameters: 835 # "{" DHEPrimeModulus , DHEBaseGenerator "}" 836 # 837 # DHEPrimeModulus: 838 # HexadecimalDigits 839 # 840 # DHEBaseGenerator: 841 # HexadecimalDigits 842 # 843 # HexadecimalDigits: 844 # HexadecimalDigit { HexadecimalDigit } 845 # 846 # HexadecimalDigit: one of 847 # 0 1 2 3 4 5 6 7 8 9 A B C D E F a b c d e f 848 # 849 # Whitespace characters are ignored. 850 # 851 # The "DefinedDHEParameters" defines the custom group parameters, prime 852 # modulus p and base generator g, for a particular size of prime modulus p. 853 # The "DHEPrimeModulus" defines the hexadecimal prime modulus p, and the 854 # "DHEBaseGenerator" defines the hexadecimal base generator g of a group 855 # parameter. It is recommended to use safe primes for the custom group 856 # parameters. 857 # 858 # If this property is not defined or the value is empty, the underlying JSSE 859 # provider's default group parameter is used for each connection. 860 # 861 # If the property value does not follow the grammar, or a particular group 862 # parameter is not valid, the connection will fall back and use the 863 # underlying JSSE provider's default group parameter. 864 # 865 # Note: This property is currently used by OpenJDK's JSSE implementation. It 866 # is not guaranteed to be examined and used by other implementations. 867 # 868 # Example: 869 # jdk.tls.server.defaultDHEParameters= 870 # { \ 871 # FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \ 872 # 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \ 873 # EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \ 874 # E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \ 875 # EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \ 876 # FFFFFFFF FFFFFFFF, 2} 877 878 # 879 # TLS key limits on symmetric cryptographic algorithms 880 # 881 # This security property sets limits on algorithms key usage in TLS 1.3. 882 # When the amount of data encrypted exceeds the algorithm value listed below, 883 # a KeyUpdate message will trigger a key change. This is for symmetric ciphers 884 # with TLS 1.3 only. 885 # 886 # The syntax for the property is described below: 887 # KeyLimits: 888 # " KeyLimit { , KeyLimit } " 889 # 890 # WeakKeyLimit: 891 # AlgorithmName Action Length 892 # 893 # AlgorithmName: 894 # A full algorithm transformation. 895 # 896 # Action: 897 # KeyUpdate 898 # 899 # Length: 900 # The amount of encrypted data in a session before the Action occurs 901 # This value may be an integer value in bytes, or as a power of two, 2^29. 902 # 903 # KeyUpdate: 904 # The TLS 1.3 KeyUpdate handshake process begins when the Length amount 905 # is fulfilled. 906 # 907 # Note: This property is currently used by OpenJDK's JSSE implementation. It 908 # is not guaranteed to be examined and used by other implementations. 909 # 910 jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37 911 912 # 913 # Cryptographic Jurisdiction Policy defaults 914 # 915 # Import and export control rules on cryptographic software vary from 916 # country to country. By default, Java provides two different sets of 917 # cryptographic policy files[1]: 918 # 919 # unlimited: These policy files contain no restrictions on cryptographic 920 # strengths or algorithms 921 # 922 # limited: These policy files contain more restricted cryptographic 923 # strengths 924 # 925 # The default setting is determined by the value of the "crypto.policy" 926 # Security property below. If your country or usage requires the 927 # traditional restrictive policy, the "limited" Java cryptographic 928 # policy is still available and may be appropriate for your environment. 929 # 930 # If you have restrictions that do not fit either use case mentioned 931 # above, Java provides the capability to customize these policy files. 932 # The "crypto.policy" security property points to a subdirectory 933 # within <java-home>/conf/security/policy/ which can be customized. 934 # Please see the <java-home>/conf/security/policy/README.txt file or consult 935 # the Java Security Guide/JCA documentation for more information. 936 # 937 # YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY 938 # TO DETERMINE THE EXACT REQUIREMENTS. 939 # 940 # [1] Please note that the JCE for Java SE, including the JCE framework, 941 # cryptographic policy files, and standard JCE providers provided with 942 # the Java SE, have been reviewed and approved for export as mass market 943 # encryption item by the US Bureau of Industry and Security. 944 # 945 # Note: This property is currently used by the JDK Reference implementation. 946 # It is not guaranteed to be examined and used by other implementations. 947 # 948 crypto.policy=crypto.policydir-tbd 949 950 # 951 # The policy for the XML Signature secure validation mode. The mode is 952 # enabled by setting the property "org.jcp.xml.dsig.secureValidation" to 953 # true with the javax.xml.crypto.XMLCryptoContext.setProperty() method, 954 # or by running the code with a SecurityManager. 955 # 956 # Policy: 957 # Constraint {"," Constraint } 958 # Constraint: 959 # AlgConstraint | MaxTransformsConstraint | MaxReferencesConstraint | 960 # ReferenceUriSchemeConstraint | KeySizeConstraint | OtherConstraint 961 # AlgConstraint 962 # "disallowAlg" Uri 963 # MaxTransformsConstraint: 964 # "maxTransforms" Integer 965 # MaxReferencesConstraint: 966 # "maxReferences" Integer 967 # ReferenceUriSchemeConstraint: 968 # "disallowReferenceUriSchemes" String { String } 969 # KeySizeConstraint: 970 # "minKeySize" KeyAlg Integer 971 # OtherConstraint: 972 # "noDuplicateIds" | "noRetrievalMethodLoops" 973 # 974 # For AlgConstraint, Uri is the algorithm URI String that is not allowed. 975 # See the XML Signature Recommendation for more information on algorithm 976 # URI Identifiers. For KeySizeConstraint, KeyAlg is the standard algorithm 977 # name of the key type (ex: "RSA"). If the MaxTransformsConstraint, 978 # MaxReferencesConstraint or KeySizeConstraint (for the same key type) is 979 # specified more than once, only the last entry is enforced. 980 # 981 # Note: This property is currently used by the JDK Reference implementation. It 982 # is not guaranteed to be examined and used by other implementations. 983 # 984 jdk.xml.dsig.secureValidationPolicy=\ 985 disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\ 986 disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\ 987 disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\ 988 disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\ 989 maxTransforms 5,\ 990 maxReferences 30,\ 991 disallowReferenceUriSchemes file http https,\ 992 minKeySize RSA 1024,\ 993 minKeySize DSA 1024,\ 994 minKeySize EC 224,\ 995 noDuplicateIds,\ 996 noRetrievalMethodLoops 997 998 # 999 # Serialization process-wide filter 1000 # 1001 # A filter, if configured, is used by java.io.ObjectInputStream during 1002 # deserialization to check the contents of the stream. 1003 # A filter is configured as a sequence of patterns, each pattern is either 1004 # matched against the name of a class in the stream or defines a limit. 1005 # Patterns are separated by ";" (semicolon). 1006 # Whitespace is significant and is considered part of the pattern. 1007 # 1008 # If the system property jdk.serialFilter is also specified on the command 1009 # line, it supersedes the security property value defined here. 1010 # 1011 # If a pattern includes a "=", it sets a limit. 1012 # If a limit appears more than once the last value is used. 1013 # Limits are checked before classes regardless of the order in the 1014 # sequence of patterns. 1015 # If any of the limits are exceeded, the filter status is REJECTED. 1016 # 1017 # maxdepth=value - the maximum depth of a graph 1018 # maxrefs=value - the maximum number of internal references 1019 # maxbytes=value - the maximum number of bytes in the input stream 1020 # maxarray=value - the maximum array length allowed 1021 # 1022 # Other patterns, from left to right, match the class or package name as 1023 # returned from Class.getName. 1024 # If the class is an array type, the class or package to be matched is the 1025 # element type. 1026 # Arrays of any number of dimensions are treated the same as the element type. 1027 # For example, a pattern of "!example.Foo", rejects creation of any instance or 1028 # array of example.Foo. 1029 # 1030 # If the pattern starts with "!", the status is REJECTED if the remaining 1031 # pattern is matched; otherwise the status is ALLOWED if the pattern matches. 1032 # If the pattern contains "/", the non-empty prefix up to the "/" is the 1033 # module name; 1034 # if the module name matches the module name of the class then 1035 # the remaining pattern is matched with the class name. 1036 # If there is no "/", the module name is not compared. 1037 # If the pattern ends with ".**" it matches any class in the package and all 1038 # subpackages. 1039 # If the pattern ends with ".*" it matches any class in the package. 1040 # If the pattern ends with "*", it matches any class with the pattern as a 1041 # prefix. 1042 # If the pattern is equal to the class name, it matches. 1043 # Otherwise, the status is UNDECIDED. 1044 # 1045 #jdk.serialFilter=pattern;pattern 1046 1047 # 1048 # RMI Registry Serial Filter 1049 # 1050 # The filter pattern uses the same format as jdk.serialFilter. 1051 # This filter can override the builtin filter if additional types need to be 1052 # allowed or rejected from the RMI Registry or to decrease limits but not 1053 # to increase limits. 1054 # If the limits (maxdepth, maxrefs, or maxbytes) are exceeded, the object is rejected. 1055 # 1056 # Each non-array type is allowed or rejected if it matches one of the patterns, 1057 # evaluated from left to right, and is otherwise allowed. Arrays of any 1058 # component type, including subarrays and arrays of primitives, are allowed. 1059 # 1060 # Array construction of any component type, including subarrays and arrays of 1061 # primitives, are allowed unless the length is greater than the maxarray limit. 1062 # The filter is applied to each array element. 1063 # 1064 # Note: This property is currently used by the JDK Reference implementation. 1065 # It is not guaranteed to be examined and used by other implementations. 1066 # 1067 # The built-in filter allows subclasses of allowed classes and 1068 # can approximately be represented as the pattern: 1069 # 1070 #sun.rmi.registry.registryFilter=\ 1071 # maxarray=1000000;\ 1072 # maxdepth=20;\ 1073 # java.lang.String;\ 1074 # java.lang.Number;\ 1075 # java.lang.reflect.Proxy;\ 1076 # java.rmi.Remote;\ 1077 # sun.rmi.server.UnicastRef;\ 1078 # sun.rmi.server.RMIClientSocketFactory;\ 1079 # sun.rmi.server.RMIServerSocketFactory;\ 1080 # java.rmi.activation.ActivationID;\ 1081 # java.rmi.server.UID 1082 # 1083 # RMI Distributed Garbage Collector (DGC) Serial Filter 1084 # 1085 # The filter pattern uses the same format as jdk.serialFilter. 1086 # This filter can override the builtin filter if additional types need to be 1087 # allowed or rejected from the RMI DGC. 1088 # 1089 # Note: This property is currently used by the JDK Reference implementation. 1090 # It is not guaranteed to be examined and used by other implementations. 1091 # 1092 # The builtin DGC filter can approximately be represented as the filter pattern: 1093 # 1094 #sun.rmi.transport.dgcFilter=\ 1095 # java.rmi.server.ObjID;\ 1096 # java.rmi.server.UID;\ 1097 # java.rmi.dgc.VMID;\ 1098 # java.rmi.dgc.Lease;\ 1099 # maxdepth=5;maxarray=10000 1100 1101 # CORBA ORBIorTypeCheckRegistryFilter 1102 # Type check enhancement for ORB::string_to_object processing 1103 # 1104 # An IOR type check filter, if configured, is used by an ORB during 1105 # an ORB::string_to_object invocation to check the veracity of the type encoded 1106 # in the ior string. 1107 # 1108 # The filter pattern consists of a semi-colon separated list of class names. 1109 # The configured list contains the binary class names of the IDL interface types 1110 # corresponding to the IDL stub class to be instantiated. 1111 # As such, a filter specifies a list of IDL stub classes that will be 1112 # allowed by an ORB when an ORB::string_to_object is invoked. 1113 # It is used to specify a white list configuration of acceptable 1114 # IDL stub types which may be contained in a stringified IOR 1115 # parameter passed as input to an ORB::string_to_object method. 1116 # 1117 # Note: This property is currently used by the JDK Reference implementation. 1118 # It is not guaranteed to be examined and used by other implementations. 1119 # 1120 #com.sun.CORBA.ORBIorTypeCheckRegistryFilter=binary_class_name;binary_class_name 1121 1122 # The iteration count used for password-based encryption (PBE) in JCEKS 1123 # keystores. Values in the range 10000 to 5000000 are considered valid. 1124 # If the value is out of this range, or is not a number, or is unspecified; 1125 # a default of 200000 is used. 1126 # 1127 # If the system property jdk.jceks.iterationCount is also specified, it 1128 # supersedes the security property value defined here. 1129 # 1130 #jdk.jceks.iterationCount = 200000 1131 1132 # 1133 # JCEKS Encrypted Key Serial Filter 1134 # 1135 # This filter, if configured, is used by the JCEKS KeyStore during the 1136 # deserialization of the encrypted Key object stored inside a key entry. 1137 # If not configured or the filter result is UNDECIDED (i.e. none of the patterns 1138 # matches), the filter configured by jdk.serialFilter will be consulted. 1139 # 1140 # If the system property jceks.key.serialFilter is also specified, it supersedes 1141 # the security property value defined here. 1142 # 1143 # The filter pattern uses the same format as jdk.serialFilter. The default 1144 # pattern allows java.lang.Enum, java.security.KeyRep, java.security.KeyRep$Type, 1145 # and javax.crypto.spec.SecretKeySpec and rejects all the others. 1146 jceks.key.serialFilter = java.base/java.lang.Enum;java.base/java.security.KeyRep;\ 1147 java.base/java.security.KeyRep$Type;java.base/javax.crypto.spec.SecretKeySpec;!* 1148 1149 # 1150 # Enhanced exception message information 1151 # 1152 # By default, exception messages should not include potentially sensitive 1153 # information such as file names, host names, or port numbers. This property 1154 # accepts one or more comma separated values, each of which represents a 1155 # category of enhanced exception message information to enable. Values are 1156 # case-insensitive. Leading and trailing whitespaces, surrounding each value, 1157 # are ignored. Unknown values are ignored. 1158 # 1159 # NOTE: Use caution before setting this property. Setting this property 1160 # exposes sensitive information in Exceptions, which could, for example, 1161 # propagate to untrusted code or be emitted in stack traces that are 1162 # inadvertently disclosed and made accessible over a public network. 1163 # 1164 # The categories are: 1165 # 1166 # hostInfo - IOExceptions thrown by java.net.Socket and the socket types in the 1167 # java.nio.channels package will contain enhanced exception 1168 # message information 1169 # 1170 # The property setting in this file can be overridden by a system property of 1171 # the same name, with the same syntax and possible values. 1172 # 1173 #jdk.includeInExceptions=hostInfo 1174 1175 # 1176 # Disabled mechanisms for the Simple Authentication and Security Layer (SASL) 1177 # 1178 # Disabled mechanisms will not be negotiated by both SASL clients and servers. 1179 # These mechanisms will be ignored if they are specified in the "mechanisms" 1180 # argument of "Sasl.createSaslClient" or the "mechanism" argument of 1181 # "Sasl.createSaslServer". 1182 # 1183 # The value of this property is a comma-separated list of SASL mechanisms. 1184 # The mechanisms are case-sensitive. Whitespaces around the commas are ignored. 1185 # 1186 # Note: This property is currently used by the JDK Reference implementation. 1187 # It is not guaranteed to be examined and used by other implementations. 1188 # 1189 # Example: 1190 # jdk.sasl.disabledMechanisms=PLAIN, CRAM-MD5, DIGEST-MD5 1191 jdk.sasl.disabledMechanisms= 1192 1193 # 1194 # Policies for distrusting Certificate Authorities (CAs). 1195 # 1196 # This is a comma separated value of one or more case-sensitive strings, each 1197 # of which represents a policy for determining if a CA should be distrusted. 1198 # The supported values are: 1199 # 1200 # SYMANTEC_TLS : Distrust TLS Server certificates anchored by a Symantec 1201 # root CA and issued after April 16, 2019 unless issued by one of the 1202 # following subordinate CAs which have a later distrust date: 1203 # 1. Apple IST CA 2 - G1, SHA-256 fingerprint: 1204 # AC2B922ECFD5E01711772FEA8ED372DE9D1E2245FCE3F57A9CDBEC77296A424B 1205 # Distrust after December 31, 2019. 1206 # 2. Apple IST CA 8 - G1, SHA-256 fingerprint: 1207 # A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED 1208 # Distrust after December 31, 2019. 1209 # 1210 # Leading and trailing whitespace surrounding each value are ignored. 1211 # Unknown values are ignored. If the property is commented out or set to the 1212 # empty String, no policies are enforced. 1213 # 1214 # Note: This property is currently used by the JDK Reference implementation. 1215 # It is not guaranteed to be supported by other SE implementations. Also, this 1216 # property does not override other security properties which can restrict 1217 # certificates such as jdk.tls.disabledAlgorithms or 1218 # jdk.certpath.disabledAlgorithms; those restrictions are still enforced even 1219 # if this property is not enabled. 1220 # 1221 jdk.security.caDistrustPolicies=SYMANTEC_TLS 1222 1223 # 1224 # FilePermission path canonicalization 1225 # 1226 # This security property dictates how the path argument is processed and stored 1227 # while constructing a FilePermission object. If the value is set to true, the 1228 # path argument is canonicalized and FilePermission methods (such as implies, 1229 # equals, and hashCode) are implemented based on this canonicalized result. 1230 # Otherwise, the path argument is not canonicalized and FilePermission methods are 1231 # implemented based on the original input. See the implementation note of the 1232 # FilePermission class for more details. 1233 # 1234 # If a system property of the same name is also specified, it supersedes the 1235 # security property value defined here. 1236 # 1237 # The default value for this property is false. 1238 # 1239 jdk.io.permissionsUseCanonicalPath=false 1240 1241 1242 # 1243 # Policies for the proxy_impersonator Kerberos ccache configuration entry 1244 # 1245 # The proxy_impersonator ccache configuration entry indicates that the ccache 1246 # is a synthetic delegated credential for use with S4U2Proxy by an intermediate 1247 # server. The ccache file should also contain the TGT of this server and 1248 # an evidence ticket from the default principal of the ccache to this server. 1249 # 1250 # This security property determines how Java uses this configuration entry. 1251 # There are 3 possible values: 1252 # 1253 # no-impersonate - Ignore this configuration entry, and always act as 1254 # the owner of the TGT (if it exists). 1255 # 1256 # try-impersonate - Try impersonation when this configuration entry exists. 1257 # If no matching TGT or evidence ticket is found, 1258 # fallback to no-impersonate. 1259 # 1260 # always-impersonate - Always impersonate when this configuration entry exists. 1261 # If no matching TGT or evidence ticket is found, 1262 # no initial credential is read from the ccache. 1263 # 1264 # The default value is "always-impersonate". 1265 # 1266 # If a system property of the same name is also specified, it supersedes the 1267 # security property value defined here. 1268 # 1269 #jdk.security.krb5.default.initiate.credential=always-impersonate 1270 1271 # 1272 # Trust Anchor Certificates - CA Basic Constraint check 1273 # 1274 # X.509 v3 certificates used as Trust Anchors (to validate signed code or TLS 1275 # connections) must have the cA Basic Constraint field set to 'true'. Also, if 1276 # they include a Key Usage extension, the keyCertSign bit must be set. These 1277 # checks, enabled by default, can be disabled for backward-compatibility 1278 # purposes with the jdk.security.allowNonCaAnchor System and Security 1279 # properties. In the case that both properties are simultaneously set, the 1280 # System value prevails. The default value of the property is "false". 1281 # 1282 #jdk.security.allowNonCaAnchor=true 1283 1284 # 1285 # The default Character set name (java.nio.charset.Charset.forName()) 1286 # for converting TLS ALPN values between byte arrays and Strings. 1287 # Prior versions of the JDK may use UTF-8 as the default charset. If 1288 # you experience interoperability issues, setting this property to UTF-8 1289 # may help. 1290 # 1291 # jdk.tls.alpnCharset=UTF-8 1292 jdk.tls.alpnCharset=ISO_8859_1