blob: 62b8b51fee64baaec9eb6172a0e9dda37d713f22 [file] [log] [blame]
duke6e45e102007-12-01 00:00:00 +00001#
2# This is the "master security properties file".
3#
mullan68000592012-07-03 14:56:58 -04004# An alternate java.security properties file may be specified
5# from the command line via the system property
6#
7# -Djava.security.properties=<URL>
8#
9# This properties file appends to the master security properties file.
10# If both properties files specify values for the same key, the value
11# from the command-line properties file is selected, as it is the last
12# one loaded.
13#
14# Also, if you specify
15#
16# -Djava.security.properties==<URL> (2 equals),
17#
18# then that properties file completely overrides the master security
19# properties file.
20#
21# To disable the ability to specify an additional properties file from
22# the command line, set the key security.overridePropertiesFile
23# to false in the master security properties file. It is set to true
24# by default.
25
duke6e45e102007-12-01 00:00:00 +000026# In this file, various security properties are set for use by
27# java.security classes. This is where users can statically register
28# Cryptography Package Providers ("providers" for short). The term
29# "provider" refers to a package or set of packages that supply a
30# concrete implementation of a subset of the cryptography aspects of
31# the Java Security API. A provider may, for example, implement one or
32# more digital signature algorithms or message digest algorithms.
33#
34# Each provider must implement a subclass of the Provider class.
35# To register a provider in this master security properties file,
36# specify the Provider subclass name and priority in the format
37#
38# security.provider.<n>=<className>
39#
40# This declares a provider, and specifies its preference
41# order n. The preference order is the order in which providers are
42# searched for requested algorithms (when no specific provider is
43# requested). The order is 1-based; 1 is the most preferred, followed
44# by 2, and so on.
45#
46# <className> must specify the subclass of the Provider class whose
47# constructor sets the values of various properties that are required
48# for the Java Security API to look up the algorithms or other
49# facilities implemented by the provider.
50#
51# There must be at least one provider specification in java.security.
52# There is a default provider that comes standard with the JDK. It
53# is called the "SUN" provider, and its Provider subclass
54# named Sun appears in the sun.security.provider package. Thus, the
55# "SUN" provider is registered via the following:
56#
57# security.provider.1=sun.security.provider.Sun
58#
59# (The number 1 is used for the default provider.)
60#
61# Note: Providers can be dynamically registered instead by calls to
62# either the addProvider or insertProviderAt method in the Security
63# class.
64
65#
66# List of providers and their preference orders (see above):
67#
68security.provider.1=sun.security.provider.Sun
69security.provider.2=sun.security.rsa.SunRsaSign
vinnieed355ab2009-08-11 16:52:26 +010070security.provider.3=sun.security.ec.SunEC
71security.provider.4=com.sun.net.ssl.internal.ssl.Provider
72security.provider.5=com.sun.crypto.provider.SunJCE
73security.provider.6=sun.security.jgss.SunProvider
74security.provider.7=com.sun.security.sasl.Provider
75security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
76security.provider.9=sun.security.smartcardio.SunPCSC
77security.provider.10=sun.security.mscapi.SunMSCAPI
duke6e45e102007-12-01 00:00:00 +000078
79#
80# Select the source of seed data for SecureRandom. By default an
xuelei42dd6452010-11-01 07:57:46 -070081# attempt is made to use the entropy gathering device specified by
duke6e45e102007-12-01 00:00:00 +000082# the securerandom.source property. If an exception occurs when
xuelei42dd6452010-11-01 07:57:46 -070083# accessing the URL then the traditional system/thread activity
84# algorithm is used.
duke6e45e102007-12-01 00:00:00 +000085#
86# On Solaris and Linux systems, if file:/dev/urandom is specified and it
87# exists, a special SecureRandom implementation is activated by default.
88# This "NativePRNG" reads random bytes directly from /dev/urandom.
89#
90# On Windows systems, the URLs file:/dev/random and file:/dev/urandom
91# enables use of the Microsoft CryptoAPI seed functionality.
92#
93securerandom.source=file:/dev/urandom
94#
95# The entropy gathering device is described as a URL and can also
96# be specified with the system property "java.security.egd". For example,
97# -Djava.security.egd=file:/dev/urandom
xuelei42dd6452010-11-01 07:57:46 -070098# Specifying this system property will override the securerandom.source
duke6e45e102007-12-01 00:00:00 +000099# setting.
100
101#
102# Class to instantiate as the javax.security.auth.login.Configuration
103# provider.
104#
105login.configuration.provider=com.sun.security.auth.login.ConfigFile
106
107#
108# Default login configuration file
109#
110#login.config.url.1=file:${user.home}/.java.login.config
111
112#
113# Class to instantiate as the system Policy. This is the name of the class
114# that will be used as the Policy object.
115#
116policy.provider=sun.security.provider.PolicyFile
117
118# The default is to have a single system-wide policy file,
119# and a policy file in the user's home directory.
120policy.url.1=file:${java.home}/lib/security/java.policy
121policy.url.2=file:${user.home}/.java.policy
122
123# whether or not we expand properties in the policy file
124# if this is set to false, properties (${...}) will not be expanded in policy
125# files.
126policy.expandProperties=true
127
128# whether or not we allow an extra policy to be passed on the command line
129# with -Djava.security.policy=somefile. Comment out this line to disable
130# this feature.
131policy.allowSystemProperty=true
132
133# whether or not we look into the IdentityScope for trusted Identities
134# when encountering a 1.1 signed JAR file. If the identity is found
135# and is trusted, we grant it AllPermission.
136policy.ignoreIdentityScope=false
137
138#
139# Default keystore type.
140#
141keystore.type=jks
142
143#
duke6e45e102007-12-01 00:00:00 +0000144# List of comma-separated packages that start with or equal this string
145# will cause a security exception to be thrown when
146# passed to checkPackageAccess unless the
147# corresponding RuntimePermission ("accessClassInPackage."+package) has
148# been granted.
lana844a0102012-10-23 11:29:53 -0700149package.access=sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.org.glassfish.external.,com.sun.org.glassfish.gmbal.,jdk.internal.
duke6e45e102007-12-01 00:00:00 +0000150
151#
152# List of comma-separated packages that start with or equal this string
153# will cause a security exception to be thrown when
154# passed to checkPackageDefinition unless the
155# corresponding RuntimePermission ("defineClassInPackage."+package) has
156# been granted.
157#
mullanee9229d2012-02-22 15:38:24 -0500158# by default, none of the class loaders supplied with the JDK call
159# checkPackageDefinition.
duke6e45e102007-12-01 00:00:00 +0000160#
lana844a0102012-10-23 11:29:53 -0700161package.definition=sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.org.glassfish.external.,com.sun.org.glassfish.gmbal.,jdk.internal.
duke6e45e102007-12-01 00:00:00 +0000162
163#
164# Determines whether this properties file can be appended to
165# or overridden on the command line via -Djava.security.properties
166#
167security.overridePropertiesFile=true
168
169#
xuelei42dd6452010-11-01 07:57:46 -0700170# Determines the default key and trust manager factory algorithms for
duke6e45e102007-12-01 00:00:00 +0000171# the javax.net.ssl package.
172#
173ssl.KeyManagerFactory.algorithm=SunX509
174ssl.TrustManagerFactory.algorithm=PKIX
175
176#
177# The Java-level namelookup cache policy for successful lookups:
178#
179# any negative value: caching forever
180# any positive value: the number of seconds to cache an address for
181# zero: do not cache
182#
183# default value is forever (FOREVER). For security reasons, this
184# caching is made forever when a security manager is set. When a security
xuelei42dd6452010-11-01 07:57:46 -0700185# manager is not set, the default behavior in this implementation
186# is to cache for 30 seconds.
duke6e45e102007-12-01 00:00:00 +0000187#
188# NOTE: setting this to anything other than the default value can have
xuelei42dd6452010-11-01 07:57:46 -0700189# serious security implications. Do not set it unless
duke6e45e102007-12-01 00:00:00 +0000190# you are sure you are not exposed to DNS spoofing attack.
191#
xuelei42dd6452010-11-01 07:57:46 -0700192#networkaddress.cache.ttl=-1
duke6e45e102007-12-01 00:00:00 +0000193
194# The Java-level namelookup cache policy for failed lookups:
195#
196# any negative value: cache forever
197# any positive value: the number of seconds to cache negative lookup results
198# zero: do not cache
199#
200# In some Microsoft Windows networking environments that employ
201# the WINS name service in addition to DNS, name service lookups
202# that fail may take a noticeably long time to return (approx. 5 seconds).
203# For this reason the default caching policy is to maintain these
xuelei42dd6452010-11-01 07:57:46 -0700204# results for 10 seconds.
duke6e45e102007-12-01 00:00:00 +0000205#
206#
207networkaddress.cache.negative.ttl=10
208
209#
210# Properties to configure OCSP for certificate revocation checking
211#
212
xuelei42dd6452010-11-01 07:57:46 -0700213# Enable OCSP
duke6e45e102007-12-01 00:00:00 +0000214#
215# By default, OCSP is not used for certificate revocation checking.
216# This property enables the use of OCSP when set to the value "true".
217#
218# NOTE: SocketPermission is required to connect to an OCSP responder.
219#
220# Example,
221# ocsp.enable=true
xuelei42dd6452010-11-01 07:57:46 -0700222
duke6e45e102007-12-01 00:00:00 +0000223#
224# Location of the OCSP responder
225#
226# By default, the location of the OCSP responder is determined implicitly
227# from the certificate being validated. This property explicitly specifies
228# the location of the OCSP responder. The property is used when the
229# Authority Information Access extension (defined in RFC 3280) is absent
230# from the certificate or when it requires overriding.
231#
232# Example,
233# ocsp.responderURL=http://ocsp.example.net:80
xuelei42dd6452010-11-01 07:57:46 -0700234
duke6e45e102007-12-01 00:00:00 +0000235#
236# Subject name of the OCSP responder's certificate
237#
238# By default, the certificate of the OCSP responder is that of the issuer
239# of the certificate being validated. This property identifies the certificate
xuelei42dd6452010-11-01 07:57:46 -0700240# of the OCSP responder when the default does not apply. Its value is a string
241# distinguished name (defined in RFC 2253) which identifies a certificate in
242# the set of certificates supplied during cert path validation. In cases where
duke6e45e102007-12-01 00:00:00 +0000243# the subject name alone is not sufficient to uniquely identify the certificate
244# then both the "ocsp.responderCertIssuerName" and
245# "ocsp.responderCertSerialNumber" properties must be used instead. When this
246# property is set then those two properties are ignored.
247#
248# Example,
249# ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
250
251#
252# Issuer name of the OCSP responder's certificate
253#
254# By default, the certificate of the OCSP responder is that of the issuer
255# of the certificate being validated. This property identifies the certificate
256# of the OCSP responder when the default does not apply. Its value is a string
257# distinguished name (defined in RFC 2253) which identifies a certificate in
xuelei42dd6452010-11-01 07:57:46 -0700258# the set of certificates supplied during cert path validation. When this
259# property is set then the "ocsp.responderCertSerialNumber" property must also
260# be set. When the "ocsp.responderCertSubjectName" property is set then this
duke6e45e102007-12-01 00:00:00 +0000261# property is ignored.
262#
263# Example,
264# ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
xuelei42dd6452010-11-01 07:57:46 -0700265
duke6e45e102007-12-01 00:00:00 +0000266#
267# Serial number of the OCSP responder's certificate
268#
269# By default, the certificate of the OCSP responder is that of the issuer
270# of the certificate being validated. This property identifies the certificate
271# of the OCSP responder when the default does not apply. Its value is a string
272# of hexadecimal digits (colon or space separators may be present) which
273# identifies a certificate in the set of certificates supplied during cert path
274# validation. When this property is set then the "ocsp.responderCertIssuerName"
275# property must also be set. When the "ocsp.responderCertSubjectName" property
276# is set then this property is ignored.
277#
278# Example,
279# ocsp.responderCertSerialNumber=2A:FF:00
xuelei42dd6452010-11-01 07:57:46 -0700280
weijunf49e12c2010-08-19 11:26:32 +0800281#
282# Policy for failed Kerberos KDC lookups:
283#
284# When a KDC is unavailable (network error, service failure, etc), it is
285# put inside a blacklist and accessed less often for future requests. The
286# value (case-insensitive) for this policy can be:
287#
288# tryLast
289# KDCs in the blacklist are always tried after those not on the list.
290#
291# tryLess[:max_retries,timeout]
292# KDCs in the blacklist are still tried by their order in the configuration,
293# but with smaller max_retries and timeout values. max_retries and timeout
294# are optional numerical parameters (default 1 and 5000, which means once
295# and 5 seconds). Please notes that if any of the values defined here is
296# more than what is defined in krb5.conf, it will be ignored.
297#
298# Whenever a KDC is detected as available, it is removed from the blacklist.
299# The blacklist is reset when krb5.conf is reloaded. You can add
300# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
301# reloaded whenever a JAAS authentication is attempted.
302#
303# Example,
304# krb5.kdc.bad.policy = tryLast
305# krb5.kdc.bad.policy = tryLess:2,2000
306krb5.kdc.bad.policy = tryLast
307
xuelei42dd6452010-11-01 07:57:46 -0700308# Algorithm restrictions for certification path (CertPath) processing
309#
310# In some environments, certain algorithms or key lengths may be undesirable
311# for certification path building and validation. For example, "MD2" is
312# generally no longer considered to be a secure hash algorithm. This section
313# describes the mechanism for disabling algorithms based on algorithm name
314# and/or key length. This includes algorithms used in certificates, as well
315# as revocation information such as CRLs and signed OCSP Responses.
316#
317# The syntax of the disabled algorithm string is described as this Java
318# BNF-style:
319# DisabledAlgorithms:
320# " DisabledAlgorithm { , DisabledAlgorithm } "
321#
322# DisabledAlgorithm:
323# AlgorithmName [Constraint]
324#
325# AlgorithmName:
326# (see below)
327#
328# Constraint:
329# KeySizeConstraint
330#
331# KeySizeConstraint:
332# keySize Operator DecimalInteger
333#
334# Operator:
335# <= | < | == | != | >= | >
336#
337# DecimalInteger:
338# DecimalDigits
339#
340# DecimalDigits:
341# DecimalDigit {DecimalDigit}
342#
343# DecimalDigit: one of
344# 1 2 3 4 5 6 7 8 9 0
345#
346# The "AlgorithmName" is the standard algorithm name of the disabled
347# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
348# Documentation" for information about Standard Algorithm Names. Matching
349# is performed using a case-insensitive sub-element matching rule. (For
350# example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
351# "ECDSA" for signatures.) If the assertion "AlgorithmName" is a
352# sub-element of the certificate algorithm name, the algorithm will be
353# rejected during certification path building and validation. For example,
354# the assertion algorithm name "DSA" will disable all certificate algorithms
355# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
356# will not disable algorithms related to "ECDSA".
357#
358# A "Constraint" provides further guidance for the algorithm being specified.
359# The "KeySizeConstraint" requires a key of a valid size range if the
360# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
361# key size specified in number of bits. For example, "RSA keySize <= 1024"
362# indicates that any RSA key with key size less than or equal to 1024 bits
363# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
364# that any RSA key with key size less than 1024 or greater than 2048 should
365# be disabled. Note that the "KeySizeConstraint" only makes sense to key
366# algorithms.
367#
368# Note: This property is currently used by Oracle's PKIX implementation. It
369# is not guaranteed to be examined and used by other implementations.
370#
371# Example:
372# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
373#
374#
xuelei7b2dfe72012-12-28 00:48:12 -0800375jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
xuelei42dd6452010-11-01 07:57:46 -0700376
377# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
378# (SSL/TLS) processing
379#
380# In some environments, certain algorithms or key lengths may be undesirable
381# when using SSL/TLS. This section describes the mechanism for disabling
382# algorithms during SSL/TLS security parameters negotiation, including cipher
383# suites selection, peer authentication and key exchange mechanisms.
384#
385# For PKI-based peer authentication and key exchange mechanisms, this list
386# of disabled algorithms will also be checked during certification path
387# building and validation, including algorithms used in certificates, as
388# well as revocation information such as CRLs and signed OCSP Responses.
389# This is in addition to the jdk.certpath.disabledAlgorithms property above.
390#
391# See the specification of "jdk.certpath.disabledAlgorithms" for the
392# syntax of the disabled algorithm string.
393#
394# Note: This property is currently used by Oracle's JSSE implementation.
395# It is not guaranteed to be examined and used by other implementations.
396#
397# Example:
398# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
399