blob: c0f9d5f04b5ea4dddc57d8a6b6ed16c545798a60 [file] [log] [blame]
simonisae1be652013-11-26 16:40:31 +01001#
2# This is the "master security properties file".
3#
4# An alternate java.security properties file may be specified
5# from the command line via the system property
6#
7# -Djava.security.properties=<URL>
8#
9# This properties file appends to the master security properties file.
10# If both properties files specify values for the same key, the value
11# from the command-line properties file is selected, as it is the last
12# one loaded.
13#
14# Also, if you specify
15#
16# -Djava.security.properties==<URL> (2 equals),
17#
18# then that properties file completely overrides the master security
19# properties file.
20#
21# To disable the ability to specify an additional properties file from
22# the command line, set the key security.overridePropertiesFile
23# to false in the master security properties file. It is set to true
24# by default.
25
26# In this file, various security properties are set for use by
27# java.security classes. This is where users can statically register
28# Cryptography Package Providers ("providers" for short). The term
29# "provider" refers to a package or set of packages that supply a
30# concrete implementation of a subset of the cryptography aspects of
31# the Java Security API. A provider may, for example, implement one or
32# more digital signature algorithms or message digest algorithms.
33#
34# Each provider must implement a subclass of the Provider class.
35# To register a provider in this master security properties file,
36# specify the Provider subclass name and priority in the format
37#
38# security.provider.<n>=<className>
39#
40# This declares a provider, and specifies its preference
41# order n. The preference order is the order in which providers are
42# searched for requested algorithms (when no specific provider is
43# requested). The order is 1-based; 1 is the most preferred, followed
44# by 2, and so on.
45#
46# <className> must specify the subclass of the Provider class whose
47# constructor sets the values of various properties that are required
48# for the Java Security API to look up the algorithms or other
49# facilities implemented by the provider.
50#
51# There must be at least one provider specification in java.security.
52# There is a default provider that comes standard with the JDK. It
53# is called the "SUN" provider, and its Provider subclass
54# named Sun appears in the sun.security.provider package. Thus, the
55# "SUN" provider is registered via the following:
56#
57# security.provider.1=sun.security.provider.Sun
58#
59# (The number 1 is used for the default provider.)
60#
61# Note: Providers can be dynamically registered instead by calls to
62# either the addProvider or insertProviderAt method in the Security
63# class.
64
65#
66# List of providers and their preference orders (see above):
67#
68security.provider.1=sun.security.provider.Sun
69security.provider.2=sun.security.rsa.SunRsaSign
70security.provider.3=sun.security.ec.SunEC
71security.provider.4=com.sun.net.ssl.internal.ssl.Provider
72security.provider.5=com.sun.crypto.provider.SunJCE
73security.provider.6=sun.security.jgss.SunProvider
74security.provider.7=com.sun.security.sasl.Provider
75security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
76security.provider.9=sun.security.smartcardio.SunPCSC
77
78#
79# Sun Provider SecureRandom seed source.
80#
81# Select the primary source of seed data for the "SHA1PRNG" and
82# "NativePRNG" SecureRandom implementations in the "Sun" provider.
83# (Other SecureRandom implementations might also use this property.)
84#
85# On Unix-like systems (for example, Solaris/Linux/MacOS), the
86# "NativePRNG" and "SHA1PRNG" implementations obtains seed data from
87# special device files such as file:/dev/random.
88#
89# On Windows systems, specifying the URLs "file:/dev/random" or
90# "file:/dev/urandom" will enable the native Microsoft CryptoAPI seeding
91# mechanism for SHA1PRNG.
92#
93# By default, an attempt is made to use the entropy gathering device
94# specified by the "securerandom.source" Security property. If an
95# exception occurs while accessing the specified URL:
96#
97# SHA1PRNG:
98# the traditional system/thread activity algorithm will be used.
99#
100# NativePRNG:
101# a default value of /dev/random will be used. If neither
102# are available, the implementation will be disabled.
103# "file" is the only currently supported protocol type.
104#
105# The entropy gathering device can also be specified with the System
106# property "java.security.egd". For example:
107#
108# % java -Djava.security.egd=file:/dev/random MainClass
109#
110# Specifying this System property will override the
111# "securerandom.source" Security property.
112#
113# In addition, if "file:/dev/random" or "file:/dev/urandom" is
114# specified, the "NativePRNG" implementation will be more preferred than
115# SHA1PRNG in the Sun provider.
116#
117securerandom.source=file:/dev/random
118
119#
120# A list of known strong SecureRandom implementations.
121#
122# To help guide applications in selecting a suitable strong
123# java.security.SecureRandom implementation, Java distributions should
124# indicate a list of known strong implementations using the property.
125#
126# This is a comma-separated list of algorithm and/or algorithm:provider
127# entries.
128#
129securerandom.strongAlgorithms=NativePRNGBlocking:SUN
130
131#
132# Class to instantiate as the javax.security.auth.login.Configuration
133# provider.
134#
135login.configuration.provider=sun.security.provider.ConfigFile
136
137#
138# Default login configuration file
139#
140#login.config.url.1=file:${user.home}/.java.login.config
141
142#
143# Class to instantiate as the system Policy. This is the name of the class
144# that will be used as the Policy object.
145#
146policy.provider=sun.security.provider.PolicyFile
147
148# The default is to have a single system-wide policy file,
149# and a policy file in the user's home directory.
150policy.url.1=file:${java.home}/lib/security/java.policy
151policy.url.2=file:${user.home}/.java.policy
152
153# whether or not we expand properties in the policy file
154# if this is set to false, properties (${...}) will not be expanded in policy
155# files.
156policy.expandProperties=true
157
158# whether or not we allow an extra policy to be passed on the command line
159# with -Djava.security.policy=somefile. Comment out this line to disable
160# this feature.
161policy.allowSystemProperty=true
162
163# whether or not we look into the IdentityScope for trusted Identities
164# when encountering a 1.1 signed JAR file. If the identity is found
165# and is trusted, we grant it AllPermission.
166policy.ignoreIdentityScope=false
167
168#
169# Default keystore type.
170#
171keystore.type=jks
172
173#
174# List of comma-separated packages that start with or equal this string
175# will cause a security exception to be thrown when
176# passed to checkPackageAccess unless the
177# corresponding RuntimePermission ("accessClassInPackage."+package) has
178# been granted.
179package.access=sun.,\
180 com.sun.xml.internal.,\
181 com.sun.imageio.,\
182 com.sun.istack.internal.,\
183 com.sun.jmx.,\
184 com.sun.media.sound.,\
simonise27e5a02014-02-26 19:26:42 +0100185 com.sun.naming.internal.,\
simonisae1be652013-11-26 16:40:31 +0100186 com.sun.proxy.,\
187 com.sun.corba.se.,\
188 com.sun.org.apache.bcel.internal.,\
189 com.sun.org.apache.regexp.internal.,\
190 com.sun.org.apache.xerces.internal.,\
191 com.sun.org.apache.xpath.internal.,\
192 com.sun.org.apache.xalan.internal.extensions.,\
193 com.sun.org.apache.xalan.internal.lib.,\
194 com.sun.org.apache.xalan.internal.res.,\
195 com.sun.org.apache.xalan.internal.templates.,\
196 com.sun.org.apache.xalan.internal.utils.,\
197 com.sun.org.apache.xalan.internal.xslt.,\
198 com.sun.org.apache.xalan.internal.xsltc.cmdline.,\
199 com.sun.org.apache.xalan.internal.xsltc.compiler.,\
200 com.sun.org.apache.xalan.internal.xsltc.trax.,\
201 com.sun.org.apache.xalan.internal.xsltc.util.,\
202 com.sun.org.apache.xml.internal.res.,\
203 com.sun.org.apache.xml.internal.security.,\
204 com.sun.org.apache.xml.internal.serializer.utils.,\
205 com.sun.org.apache.xml.internal.utils.,\
206 com.sun.org.glassfish.,\
207 com.oracle.xmlns.internal.,\
208 com.oracle.webservices.internal.,\
simonise27e5a02014-02-26 19:26:42 +0100209 oracle.jrockit.jfr.,\
simonisae1be652013-11-26 16:40:31 +0100210 org.jcp.xml.dsig.internal.,\
211 jdk.internal.,\
212 jdk.nashorn.internal.,\
weijun3cb44232014-07-23 09:25:53 +0800213 jdk.nashorn.tools.,\
214 com.sun.activation.registries.
simonisae1be652013-11-26 16:40:31 +0100215
216#
217# List of comma-separated packages that start with or equal this string
218# will cause a security exception to be thrown when
219# passed to checkPackageDefinition unless the
220# corresponding RuntimePermission ("defineClassInPackage."+package) has
221# been granted.
222#
223# by default, none of the class loaders supplied with the JDK call
224# checkPackageDefinition.
225#
226package.definition=sun.,\
227 com.sun.xml.internal.,\
228 com.sun.imageio.,\
229 com.sun.istack.internal.,\
230 com.sun.jmx.,\
231 com.sun.media.sound.,\
simonise27e5a02014-02-26 19:26:42 +0100232 com.sun.naming.internal.,\
simonisae1be652013-11-26 16:40:31 +0100233 com.sun.proxy.,\
234 com.sun.corba.se.,\
235 com.sun.org.apache.bcel.internal.,\
236 com.sun.org.apache.regexp.internal.,\
237 com.sun.org.apache.xerces.internal.,\
238 com.sun.org.apache.xpath.internal.,\
239 com.sun.org.apache.xalan.internal.extensions.,\
240 com.sun.org.apache.xalan.internal.lib.,\
241 com.sun.org.apache.xalan.internal.res.,\
242 com.sun.org.apache.xalan.internal.templates.,\
243 com.sun.org.apache.xalan.internal.utils.,\
244 com.sun.org.apache.xalan.internal.xslt.,\
245 com.sun.org.apache.xalan.internal.xsltc.cmdline.,\
246 com.sun.org.apache.xalan.internal.xsltc.compiler.,\
247 com.sun.org.apache.xalan.internal.xsltc.trax.,\
248 com.sun.org.apache.xalan.internal.xsltc.util.,\
249 com.sun.org.apache.xml.internal.res.,\
250 com.sun.org.apache.xml.internal.security.,\
251 com.sun.org.apache.xml.internal.serializer.utils.,\
252 com.sun.org.apache.xml.internal.utils.,\
253 com.sun.org.glassfish.,\
254 com.oracle.xmlns.internal.,\
255 com.oracle.webservices.internal.,\
simonise27e5a02014-02-26 19:26:42 +0100256 oracle.jrockit.jfr.,\
simonisae1be652013-11-26 16:40:31 +0100257 org.jcp.xml.dsig.internal.,\
258 jdk.internal.,\
259 jdk.nashorn.internal.,\
weijun3cb44232014-07-23 09:25:53 +0800260 jdk.nashorn.tools.,\
261 com.sun.activation.registries.
simonisae1be652013-11-26 16:40:31 +0100262
263#
264# Determines whether this properties file can be appended to
265# or overridden on the command line via -Djava.security.properties
266#
267security.overridePropertiesFile=true
268
269#
270# Determines the default key and trust manager factory algorithms for
271# the javax.net.ssl package.
272#
273ssl.KeyManagerFactory.algorithm=SunX509
274ssl.TrustManagerFactory.algorithm=PKIX
275
276#
277# The Java-level namelookup cache policy for successful lookups:
278#
279# any negative value: caching forever
280# any positive value: the number of seconds to cache an address for
281# zero: do not cache
282#
283# default value is forever (FOREVER). For security reasons, this
284# caching is made forever when a security manager is set. When a security
285# manager is not set, the default behavior in this implementation
286# is to cache for 30 seconds.
287#
288# NOTE: setting this to anything other than the default value can have
289# serious security implications. Do not set it unless
290# you are sure you are not exposed to DNS spoofing attack.
291#
292#networkaddress.cache.ttl=-1
293
294# The Java-level namelookup cache policy for failed lookups:
295#
296# any negative value: cache forever
297# any positive value: the number of seconds to cache negative lookup results
298# zero: do not cache
299#
300# In some Microsoft Windows networking environments that employ
301# the WINS name service in addition to DNS, name service lookups
302# that fail may take a noticeably long time to return (approx. 5 seconds).
303# For this reason the default caching policy is to maintain these
304# results for 10 seconds.
305#
306#
307networkaddress.cache.negative.ttl=10
308
309#
310# Properties to configure OCSP for certificate revocation checking
311#
312
313# Enable OCSP
314#
315# By default, OCSP is not used for certificate revocation checking.
316# This property enables the use of OCSP when set to the value "true".
317#
318# NOTE: SocketPermission is required to connect to an OCSP responder.
319#
320# Example,
321# ocsp.enable=true
322
323#
324# Location of the OCSP responder
325#
326# By default, the location of the OCSP responder is determined implicitly
327# from the certificate being validated. This property explicitly specifies
328# the location of the OCSP responder. The property is used when the
329# Authority Information Access extension (defined in RFC 3280) is absent
330# from the certificate or when it requires overriding.
331#
332# Example,
333# ocsp.responderURL=http://ocsp.example.net:80
334
335#
336# Subject name of the OCSP responder's certificate
337#
338# By default, the certificate of the OCSP responder is that of the issuer
339# of the certificate being validated. This property identifies the certificate
340# of the OCSP responder when the default does not apply. Its value is a string
341# distinguished name (defined in RFC 2253) which identifies a certificate in
342# the set of certificates supplied during cert path validation. In cases where
343# the subject name alone is not sufficient to uniquely identify the certificate
344# then both the "ocsp.responderCertIssuerName" and
345# "ocsp.responderCertSerialNumber" properties must be used instead. When this
346# property is set then those two properties are ignored.
347#
348# Example,
349# ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
350
351#
352# Issuer name of the OCSP responder's certificate
353#
354# By default, the certificate of the OCSP responder is that of the issuer
355# of the certificate being validated. This property identifies the certificate
356# of the OCSP responder when the default does not apply. Its value is a string
357# distinguished name (defined in RFC 2253) which identifies a certificate in
358# the set of certificates supplied during cert path validation. When this
359# property is set then the "ocsp.responderCertSerialNumber" property must also
360# be set. When the "ocsp.responderCertSubjectName" property is set then this
361# property is ignored.
362#
363# Example,
364# ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
365
366#
367# Serial number of the OCSP responder's certificate
368#
369# By default, the certificate of the OCSP responder is that of the issuer
370# of the certificate being validated. This property identifies the certificate
371# of the OCSP responder when the default does not apply. Its value is a string
372# of hexadecimal digits (colon or space separators may be present) which
373# identifies a certificate in the set of certificates supplied during cert path
374# validation. When this property is set then the "ocsp.responderCertIssuerName"
375# property must also be set. When the "ocsp.responderCertSubjectName" property
376# is set then this property is ignored.
377#
378# Example,
379# ocsp.responderCertSerialNumber=2A:FF:00
380
381#
382# Policy for failed Kerberos KDC lookups:
383#
384# When a KDC is unavailable (network error, service failure, etc), it is
385# put inside a blacklist and accessed less often for future requests. The
386# value (case-insensitive) for this policy can be:
387#
388# tryLast
389# KDCs in the blacklist are always tried after those not on the list.
390#
391# tryLess[:max_retries,timeout]
392# KDCs in the blacklist are still tried by their order in the configuration,
393# but with smaller max_retries and timeout values. max_retries and timeout
394# are optional numerical parameters (default 1 and 5000, which means once
395# and 5 seconds). Please notes that if any of the values defined here is
396# more than what is defined in krb5.conf, it will be ignored.
397#
398# Whenever a KDC is detected as available, it is removed from the blacklist.
399# The blacklist is reset when krb5.conf is reloaded. You can add
400# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
401# reloaded whenever a JAAS authentication is attempted.
402#
403# Example,
404# krb5.kdc.bad.policy = tryLast
405# krb5.kdc.bad.policy = tryLess:2,2000
406krb5.kdc.bad.policy = tryLast
407
408# Algorithm restrictions for certification path (CertPath) processing
409#
410# In some environments, certain algorithms or key lengths may be undesirable
411# for certification path building and validation. For example, "MD2" is
412# generally no longer considered to be a secure hash algorithm. This section
413# describes the mechanism for disabling algorithms based on algorithm name
414# and/or key length. This includes algorithms used in certificates, as well
415# as revocation information such as CRLs and signed OCSP Responses.
416#
417# The syntax of the disabled algorithm string is described as this Java
418# BNF-style:
419# DisabledAlgorithms:
420# " DisabledAlgorithm { , DisabledAlgorithm } "
421#
422# DisabledAlgorithm:
423# AlgorithmName [Constraint]
424#
425# AlgorithmName:
426# (see below)
427#
428# Constraint:
429# KeySizeConstraint
430#
431# KeySizeConstraint:
432# keySize Operator DecimalInteger
433#
434# Operator:
435# <= | < | == | != | >= | >
436#
437# DecimalInteger:
438# DecimalDigits
439#
440# DecimalDigits:
441# DecimalDigit {DecimalDigit}
442#
443# DecimalDigit: one of
444# 1 2 3 4 5 6 7 8 9 0
445#
446# The "AlgorithmName" is the standard algorithm name of the disabled
447# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
448# Documentation" for information about Standard Algorithm Names. Matching
449# is performed using a case-insensitive sub-element matching rule. (For
450# example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
451# "ECDSA" for signatures.) If the assertion "AlgorithmName" is a
452# sub-element of the certificate algorithm name, the algorithm will be
453# rejected during certification path building and validation. For example,
454# the assertion algorithm name "DSA" will disable all certificate algorithms
455# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
456# will not disable algorithms related to "ECDSA".
457#
458# A "Constraint" provides further guidance for the algorithm being specified.
459# The "KeySizeConstraint" requires a key of a valid size range if the
460# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
461# key size specified in number of bits. For example, "RSA keySize <= 1024"
462# indicates that any RSA key with key size less than or equal to 1024 bits
463# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
464# that any RSA key with key size less than 1024 or greater than 2048 should
465# be disabled. Note that the "KeySizeConstraint" only makes sense to key
466# algorithms.
467#
468# Note: This property is currently used by Oracle's PKIX implementation. It
469# is not guaranteed to be examined and used by other implementations.
470#
471# Example:
472# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
473#
474#
475jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
476
477# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
478# (SSL/TLS) processing
479#
480# In some environments, certain algorithms or key lengths may be undesirable
481# when using SSL/TLS. This section describes the mechanism for disabling
xuelei8303c6e2014-10-24 11:49:24 +0000482# algorithms during SSL/TLS security parameters negotiation, including
483# protocol version negotiation, cipher suites selection, peer authentication
484# and key exchange mechanisms.
485#
486# Disabled algorithms will not be negotiated for SSL/TLS connections, even
487# if they are enabled explicitly in an application.
simonisae1be652013-11-26 16:40:31 +0100488#
489# For PKI-based peer authentication and key exchange mechanisms, this list
490# of disabled algorithms will also be checked during certification path
491# building and validation, including algorithms used in certificates, as
492# well as revocation information such as CRLs and signed OCSP Responses.
493# This is in addition to the jdk.certpath.disabledAlgorithms property above.
494#
495# See the specification of "jdk.certpath.disabledAlgorithms" for the
496# syntax of the disabled algorithm string.
497#
498# Note: This property is currently used by Oracle's JSSE implementation.
499# It is not guaranteed to be examined and used by other implementations.
500#
501# Example:
xuelei8303c6e2014-10-24 11:49:24 +0000502# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
asaha81743b52015-05-29 10:15:38 -0700503jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
asmotrake1347b42015-03-03 16:26:24 -0800504
505# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
506# processing in JSSE implementation.
507#
508# In some environments, a certain algorithm may be undesirable but it
509# cannot be disabled because of its use in legacy applications. Legacy
510# algorithms may still be supported, but applications should not use them
511# as the security strength of legacy algorithms are usually not strong enough
512# in practice.
513#
514# During SSL/TLS security parameters negotiation, legacy algorithms will
515# not be negotiated unless there are no other candidates.
516#
517# The syntax of the disabled algorithm string is described as this Java
518# BNF-style:
519# LegacyAlgorithms:
520# " LegacyAlgorithm { , LegacyAlgorithm } "
521#
522# LegacyAlgorithm:
523# AlgorithmName (standard JSSE algorithm name)
524#
525# See the specification of security property "jdk.certpath.disabledAlgorithms"
526# for the syntax and description of the "AlgorithmName" notation.
527#
528# Per SSL/TLS specifications, cipher suites have the form:
529# SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg
530# or
531# TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg
532#
533# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the
534# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC
535# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest
536# algorithm for HMAC.
537#
538# The LegacyAlgorithm can be one of the following standard algorithm names:
539# 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
540# 2. JSSE key exchange algorithm name, e.g., RSA
541# 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
igerasimeb375e32015-04-24 13:59:30 +0300542# 4. JSSE message digest algorithm name, e.g., SHA
asmotrake1347b42015-03-03 16:26:24 -0800543#
544# See SSL/TLS specifications and "Java Cryptography Architecture Standard
545# Algorithm Name Documentation" for information about the algorithm names.
546#
547# Note: This property is currently used by Oracle's JSSE implementation.
548# It is not guaranteed to be examined and used by other implementations.
549# There is no guarantee the property will continue to exist or be of the
550# same syntax in future releases.
551#
552# Example:
553# jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
554#
555jdk.tls.legacyAlgorithms= \
556 K_NULL, C_NULL, M_NULL, \
557 DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
558 DH_RSA_EXPORT, RSA_EXPORT, \
559 DH_anon, ECDH_anon, \
560 RC4_128, RC4_40, DES_CBC, DES40_CBC