#

# This is the "master security properties file".

#

# An alternate java.security properties file may be specified

# from the command line via the system property

#

#    -Djava.security.properties=<URL>

#

# This properties file appends to the master security properties file.

# If both properties files specify values for the same key, the value

# from the command-line properties file is selected, as it is the last

# one loaded.

#

# Also, if you specify

#

#    -Djava.security.properties==<URL> (2 equals),

#

# then that properties file completely overrides the master security

# properties file.

#

# To disable the ability to specify an additional properties file from

# the command line, set the key security.overridePropertiesFile

# to false in the master security properties file. It is set to true

# by default.

# In this file, various security properties are set for use by

# java.security classes. This is where users can statically register

# Cryptography Package Providers ("providers" for short). The term

# "provider" refers to a package or set of packages that supply a

# concrete implementation of a subset of the cryptography aspects of

# the Java Security API. A provider may, for example, implement one or

# more digital signature algorithms or message digest algorithms.

#

# Each provider must implement a subclass of the Provider class.

# To register a provider in this master security properties file,

# specify the provider and priority in the format

#

#    security.provider.<n>=<provName | className>

#

# This declares a provider, and specifies its preference

# order n. The preference order is the order in which providers are

# searched for requested algorithms (when no specific provider is

# requested). The order is 1-based; 1 is the most preferred, followed

# by 2, and so on.

#

# <provName> must specify the name of the Provider as passed to its super

# class java.security.Provider constructor. This is for providers loaded

# through the ServiceLoader mechanism.

#

# <className> must specify the subclass of the Provider class whose

# constructor sets the values of various properties that are required

# for the Java Security API to look up the algorithms or other

# facilities implemented by the provider. This is for providers loaded

# through classpath.

#

# Note: Providers can be dynamically registered instead by calls to

# either the addProvider or insertProviderAt method in the Security

# class.

#

# List of providers and their preference orders (see above):

#

#ifdef solaris

security.provider.tbd=OracleUcrypto

security.provider.tbd=SunPKCS11 ${java.home}/conf/security/sunpkcs11-solaris.cfg

#endif

security.provider.tbd=SUN

security.provider.tbd=SunRsaSign

security.provider.tbd=SunEC

security.provider.tbd=SunJSSE

security.provider.tbd=SunJCE

security.provider.tbd=SunJGSS

security.provider.tbd=SunSASL

security.provider.tbd=XMLDSig

security.provider.tbd=SunPCSC

security.provider.tbd=JdkLDAP

security.provider.tbd=JdkSASL

#ifdef windows

security.provider.tbd=SunMSCAPI

#endif

#ifdef macosx

security.provider.tbd=Apple

#endif

#ifndef solaris

security.provider.tbd=SunPKCS11

#endif

#

# A list of preferred providers for specific algorithms. These providers will

# be searched for matching algorithms before the list of registered providers.

# Entries containing errors (parsing, etc) will be ignored. Use the

# -Djava.security.debug=jca property to debug these errors.

#

# The property is a comma-separated list of serviceType.algorithm:provider

# entries. The serviceType (example: "MessageDigest") is optional, and if

# not specified, the algorithm applies to all service types that support it.

# The algorithm is the standard algorithm name or transformation.

# Transformations can be specified in their full standard name

# (ex: AES/CBC/PKCS5Padding), or as partial matches (ex: AES, AES/CBC).

# The provider is the name of the provider. Any provider that does not

# also appear in the registered list will be ignored.

#

# There is a special serviceType for this property only to group a set of

# algorithms together. The type is "Group" and is followed by an algorithm

# keyword. Groups are to simplify and lessen the entries on the property

# line. Current groups are:

#   Group.SHA2 = SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256

#   Group.HmacSHA2 = HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512

#   Group.SHA2RSA = SHA224withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA

#   Group.SHA2DSA = SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA

#   Group.SHA2ECDSA = SHA224withECDSA, SHA256withECDSA, SHA384withECDSA, \

#                     SHA512withECDSA

#   Group.SHA3 = SHA3-224, SHA3-256, SHA3-384, SHA3-512

#   Group.HmacSHA3 = HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512

#

# Example:

#   jdk.security.provider.preferred=AES/GCM/NoPadding:SunJCE, \

#         MessageDigest.SHA-256:SUN, Group.HmacSHA2:SunJCE

#

#ifdef solaris-sparc

# Optional Solaris-SPARC configuration for non-FIPS 140 configurations.

#   jdk.security.provider.preferred=AES:SunJCE, SHA1:SUN, Group.SHA2:SUN, \

#   HmacSHA1:SunJCE, Group.HmacSHA2:SunJCE

#

#endif

#jdk.security.provider.preferred=

#

# Sun Provider SecureRandom seed source.

#

# Select the primary source of seed data for the "NativePRNG", "SHA1PRNG"

# and "DRBG" SecureRandom implementations in the "Sun" provider.

# (Other SecureRandom implementations might also use this property.)

#

# On Unix-like systems (for example, Solaris/Linux/MacOS), the

# "NativePRNG", "SHA1PRNG" and "DRBG" implementations obtains seed data from

# special device files such as file:/dev/random.

#

# On Windows systems, specifying the URLs "file:/dev/random" or

# "file:/dev/urandom" will enable the native Microsoft CryptoAPI seeding

# mechanism for SHA1PRNG and DRBG.

#

# By default, an attempt is made to use the entropy gathering device

# specified by the "securerandom.source" Security property.  If an

# exception occurs while accessing the specified URL:

#

#     NativePRNG:

#         a default value of /dev/random will be used.  If neither

#         are available, the implementation will be disabled.

#         "file" is the only currently supported protocol type.

#

#     SHA1PRNG and DRBG:

#         the traditional system/thread activity algorithm will be used.

#

# The entropy gathering device can also be specified with the System

# property "java.security.egd". For example:

#

#   % java -Djava.security.egd=file:/dev/random MainClass

#

# Specifying this System property will override the

# "securerandom.source" Security property.

#

# In addition, if "file:/dev/random" or "file:/dev/urandom" is

# specified, the "NativePRNG" implementation will be more preferred than

# DRBG and SHA1PRNG in the Sun provider.

#

securerandom.source=file:/dev/random

#

# A list of known strong SecureRandom implementations.

#

# To help guide applications in selecting a suitable strong

# java.security.SecureRandom implementation, Java distributions should

# indicate a list of known strong implementations using the property.

#

# This is a comma-separated list of algorithm and/or algorithm:provider

# entries.

#

#ifdef windows

securerandom.strongAlgorithms=Windows-PRNG:SunMSCAPI,DRBG:SUN

#endif

#ifndef windows

securerandom.strongAlgorithms=NativePRNGBlocking:SUN,DRBG:SUN

#endif

#

# Sun provider DRBG configuration and default instantiation request.

#

# NIST SP 800-90Ar1 lists several DRBG mechanisms. Each can be configured

# with a DRBG algorithm name, and can be instantiated with a security strength,

# prediction resistance support, etc. This property defines the configuration

# and the default instantiation request of "DRBG" SecureRandom implementations

# in the SUN provider. (Other DRBG implementations can also use this property.)

# Applications can request different instantiation parameters like security

# strength, capability, personalization string using one of the

# getInstance(...,SecureRandomParameters,...) methods with a

# DrbgParameters.Instantiation argument, but other settings such as the

# mechanism and DRBG algorithm names are not currently configurable by any API.

#

# Please note that the SUN implementation of DRBG always supports reseeding.

#

# The value of this property is a comma-separated list of all configurable

# aspects. The aspects can appear in any order but the same aspect can only

# appear at most once. Its BNF-style definition is:

#

#   Value:

#     aspect { "," aspect }

#

#   aspect:

#     mech_name | algorithm_name | strength | capability | df

#

#   // The DRBG mechanism to use. Default "Hash_DRBG"

#   mech_name:

#     "Hash_DRBG" | "HMAC_DRBG" | "CTR_DRBG"

#

#   // The DRBG algorithm name. The "SHA-***" names are for Hash_DRBG and

#   // HMAC_DRBG, default "SHA-256". The "AES-***" names are for CTR_DRBG,

#   // default "AES-128" when using the limited cryptographic or "AES-256"

#   // when using the unlimited.

#   algorithm_name:

#     "SHA-224" | "SHA-512/224" | "SHA-256" |

#     "SHA-512/256" | "SHA-384" | "SHA-512" |

#     "AES-128" | "AES-192" | "AES-256"

#

#   // Security strength requested. Default "128"

#   strength:

#     "112" | "128" | "192" | "256"

#

#   // Prediction resistance and reseeding request. Default "none"

#   //  "pr_and_reseed" - Both prediction resistance and reseeding

#   //                    support requested

#   //  "reseed_only"   - Only reseeding support requested

#   //  "none"          - Neither prediction resistance not reseeding

#   //                    support requested

#   pr:

#     "pr_and_reseed" | "reseed_only" | "none"

#

#   // Whether a derivation function should be used. only applicable

#   // to CTR_DRBG. Default "use_df"

#   df:

#     "use_df" | "no_df"

#

# Examples,

#   securerandom.drbg.config=Hash_DRBG,SHA-224,112,none

#   securerandom.drbg.config=CTR_DRBG,AES-256,192,pr_and_reseed,use_df

#

# The default value is an empty string, which is equivalent to

#   securerandom.drbg.config=Hash_DRBG,SHA-256,128,none

#

securerandom.drbg.config=

#

# Class to instantiate as the javax.security.auth.login.Configuration

# provider.

#

login.configuration.provider=sun.security.provider.ConfigFile

#

# Default login configuration file

#

#login.config.url.1=file:${user.home}/.java.login.config

#

# Class to instantiate as the system Policy. This is the name of the class

# that will be used as the Policy object. The system class loader is used to

# locate this class.

#

policy.provider=sun.security.provider.PolicyFile

# The default is to have a single system-wide policy file,

# and a policy file in the user's home directory.

#

policy.url.1=file:${java.home}/conf/security/java.policy

policy.url.2=file:${user.home}/.java.policy

# whether or not we expand properties in the policy file

# if this is set to false, properties (${...}) will not be expanded in policy

# files.

#

policy.expandProperties=true

# whether or not we allow an extra policy to be passed on the command line

# with -Djava.security.policy=somefile. Comment out this line to disable

# this feature.

#

policy.allowSystemProperty=true

# whether or not we look into the IdentityScope for trusted Identities

# when encountering a 1.1 signed JAR file. If the identity is found

# and is trusted, we grant it AllPermission. Note: the default policy

# provider (sun.security.provider.PolicyFile) does not support this property.

#

policy.ignoreIdentityScope=false

#

# Default keystore type.

#

keystore.type=pkcs12

#

# Controls compatibility mode for JKS and PKCS12 keystore types.

#

# When set to 'true', both JKS and PKCS12 keystore types support loading

# keystore files in either JKS or PKCS12 format. When set to 'false' the

# JKS keystore type supports loading only JKS keystore files and the PKCS12

# keystore type supports loading only PKCS12 keystore files.

#

keystore.type.compat=true

#

# List of comma-separated packages that start with or equal this string

# will cause a security exception to be thrown when passed to the

# SecurityManager::checkPackageAccess method unless the corresponding

# RuntimePermission("accessClassInPackage."+package) has been granted.

#

package.access=sun.misc.,\

               sun.reflect.,\

#

# List of comma-separated packages that start with or equal this string

# will cause a security exception to be thrown when passed to the

# SecurityManager::checkPackageDefinition method unless the corresponding

# RuntimePermission("defineClassInPackage."+package) has been granted.

#

# By default, none of the class loaders supplied with the JDK call

# checkPackageDefinition.

#

package.definition=sun.misc.,\

                   sun.reflect.,\

#

# Determines whether this properties file can be appended to

# or overridden on the command line via -Djava.security.properties

#

security.overridePropertiesFile=true

#

# Determines the default key and trust manager factory algorithms for

# the javax.net.ssl package.

#

ssl.KeyManagerFactory.algorithm=SunX509

ssl.TrustManagerFactory.algorithm=PKIX

#

# The Java-level namelookup cache policy for successful lookups:

#

# any negative value: caching forever

# any positive value: the number of seconds to cache an address for

# zero: do not cache

#

# default value is forever (FOREVER). For security reasons, this

# caching is made forever when a security manager is set. When a security

# manager is not set, the default behavior in this implementation

# is to cache for 30 seconds.

#

# NOTE: setting this to anything other than the default value can have

#       serious security implications. Do not set it unless

#       you are sure you are not exposed to DNS spoofing attack.

#

#networkaddress.cache.ttl=-1

# The Java-level namelookup cache policy for failed lookups:

#

# any negative value: cache forever

# any positive value: the number of seconds to cache negative lookup results

# zero: do not cache

#

# In some Microsoft Windows networking environments that employ

# the WINS name service in addition to DNS, name service lookups

# that fail may take a noticeably long time to return (approx. 5 seconds).

# For this reason the default caching policy is to maintain these

# results for 10 seconds.

#

networkaddress.cache.negative.ttl=10

#

# Properties to configure OCSP for certificate revocation checking

#

# Enable OCSP

#

# By default, OCSP is not used for certificate revocation checking.

# This property enables the use of OCSP when set to the value "true".

#

# NOTE: SocketPermission is required to connect to an OCSP responder.

#

# Example,

#   ocsp.enable=true

#

# Location of the OCSP responder

#

# By default, the location of the OCSP responder is determined implicitly

# from the certificate being validated. This property explicitly specifies

# the location of the OCSP responder. The property is used when the

# Authority Information Access extension (defined in RFC 5280) is absent

# from the certificate or when it requires overriding.

#

# Example,

#   ocsp.responderURL=http://ocsp.example.net:80

#

# Subject name of the OCSP responder's certificate

#

# By default, the certificate of the OCSP responder is that of the issuer

# of the certificate being validated. This property identifies the certificate

# of the OCSP responder when the default does not apply. Its value is a string

# distinguished name (defined in RFC 2253) which identifies a certificate in

# the set of certificates supplied during cert path validation. In cases where

# the subject name alone is not sufficient to uniquely identify the certificate

# then both the "ocsp.responderCertIssuerName" and

# "ocsp.responderCertSerialNumber" properties must be used instead. When this

# property is set then those two properties are ignored.

#

# Example,

#   ocsp.responderCertSubjectName=CN=OCSP Responder, O=XYZ Corp

#

# Issuer name of the OCSP responder's certificate

#

# By default, the certificate of the OCSP responder is that of the issuer

# of the certificate being validated. This property identifies the certificate

# of the OCSP responder when the default does not apply. Its value is a string

# distinguished name (defined in RFC 2253) which identifies a certificate in

# the set of certificates supplied during cert path validation. When this

# property is set then the "ocsp.responderCertSerialNumber" property must also

# be set. When the "ocsp.responderCertSubjectName" property is set then this

# property is ignored.

#

# Example,

#   ocsp.responderCertIssuerName=CN=Enterprise CA, O=XYZ Corp

#

# Serial number of the OCSP responder's certificate

#

# By default, the certificate of the OCSP responder is that of the issuer

# of the certificate being validated. This property identifies the certificate

# of the OCSP responder when the default does not apply. Its value is a string

# of hexadecimal digits (colon or space separators may be present) which

# identifies a certificate in the set of certificates supplied during cert path

# validation. When this property is set then the "ocsp.responderCertIssuerName"

# property must also be set. When the "ocsp.responderCertSubjectName" property

# is set then this property is ignored.

#

# Example,

#   ocsp.responderCertSerialNumber=2A:FF:00

#

# Policy for failed Kerberos KDC lookups:

#

# When a KDC is unavailable (network error, service failure, etc), it is

# put inside a blacklist and accessed less often for future requests. The

# value (case-insensitive) for this policy can be:

#

# tryLast

#    KDCs in the blacklist are always tried after those not on the list.

#

# tryLess[:max_retries,timeout]

#    KDCs in the blacklist are still tried by their order in the configuration,

#    but with smaller max_retries and timeout values. max_retries and timeout

#    are optional numerical parameters (default 1 and 5000, which means once

#    and 5 seconds). Please notes that if any of the values defined here is

#    more than what is defined in krb5.conf, it will be ignored.

#

# Whenever a KDC is detected as available, it is removed from the blacklist.

# The blacklist is reset when krb5.conf is reloaded. You can add

# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is

# reloaded whenever a JAAS authentication is attempted.

#

# Example,

#   krb5.kdc.bad.policy = tryLast

#   krb5.kdc.bad.policy = tryLess:2,2000

#

krb5.kdc.bad.policy = tryLast

#

# Kerberos cross-realm referrals (RFC 6806)

#

# OpenJDK's Kerberos client supports cross-realm referrals as defined in

# RFC 6806. This allows to setup more dynamic environments in which clients

# do not need to know in advance how to reach the realm of a target principal

# (either a user or service).

#

# When a client issues an AS or a TGS request, the "canonicalize" option

# is set to announce support of this feature. A KDC server may fulfill the

# request or reply referring the client to a different one. If referred,

# the client will issue a new request and the cycle repeats.

#

# In addition to referrals, the "canonicalize" option allows the KDC server

# to change the client name in response to an AS request. For security reasons,

# RFC 6806 (section 11) FAST scheme is enforced.

#

# Disable Kerberos cross-realm referrals. Value may be overwritten with a

# System property (-Dsun.security.krb5.disableReferrals).

sun.security.krb5.disableReferrals=false

# Maximum number of AS or TGS referrals to avoid infinite loops. Value may

# be overwritten with a System property (-Dsun.security.krb5.maxReferrals).