53 security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI |
53 security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI |
54 security.provider.9=sun.security.smartcardio.SunPCSC |
54 security.provider.9=sun.security.smartcardio.SunPCSC |
55 |
55 |
56 # |
56 # |
57 # Select the source of seed data for SecureRandom. By default an |
57 # Select the source of seed data for SecureRandom. By default an |
58 # attempt is made to use the entropy gathering device specified by |
58 # attempt is made to use the entropy gathering device specified by |
59 # the securerandom.source property. If an exception occurs when |
59 # the securerandom.source property. If an exception occurs when |
60 # accessing the URL then the traditional system/thread activity |
60 # accessing the URL then the traditional system/thread activity |
61 # algorithm is used. |
61 # algorithm is used. |
62 # |
62 # |
63 # On Solaris and Linux systems, if file:/dev/urandom is specified and it |
63 # On Solaris and Linux systems, if file:/dev/urandom is specified and it |
64 # exists, a special SecureRandom implementation is activated by default. |
64 # exists, a special SecureRandom implementation is activated by default. |
65 # This "NativePRNG" reads random bytes directly from /dev/urandom. |
65 # This "NativePRNG" reads random bytes directly from /dev/urandom. |
66 # |
66 # |
70 securerandom.source=file:/dev/urandom |
70 securerandom.source=file:/dev/urandom |
71 # |
71 # |
72 # The entropy gathering device is described as a URL and can also |
72 # The entropy gathering device is described as a URL and can also |
73 # be specified with the system property "java.security.egd". For example, |
73 # be specified with the system property "java.security.egd". For example, |
74 # -Djava.security.egd=file:/dev/urandom |
74 # -Djava.security.egd=file:/dev/urandom |
75 # Specifying this system property will override the securerandom.source |
75 # Specifying this system property will override the securerandom.source |
76 # setting. |
76 # setting. |
77 |
77 |
78 # |
78 # |
79 # Class to instantiate as the javax.security.auth.login.Configuration |
79 # Class to instantiate as the javax.security.auth.login.Configuration |
80 # provider. |
80 # provider. |
147 # or overridden on the command line via -Djava.security.properties |
147 # or overridden on the command line via -Djava.security.properties |
148 # |
148 # |
149 security.overridePropertiesFile=true |
149 security.overridePropertiesFile=true |
150 |
150 |
151 # |
151 # |
152 # Determines the default key and trust manager factory algorithms for |
152 # Determines the default key and trust manager factory algorithms for |
153 # the javax.net.ssl package. |
153 # the javax.net.ssl package. |
154 # |
154 # |
155 ssl.KeyManagerFactory.algorithm=SunX509 |
155 ssl.KeyManagerFactory.algorithm=SunX509 |
156 ssl.TrustManagerFactory.algorithm=PKIX |
156 ssl.TrustManagerFactory.algorithm=PKIX |
157 |
157 |
166 # caching is made forever when a security manager is set. When a security |
166 # caching is made forever when a security manager is set. When a security |
167 # manager is not set, the default behavior in this implementation |
167 # manager is not set, the default behavior in this implementation |
168 # is to cache for 30 seconds. |
168 # is to cache for 30 seconds. |
169 # |
169 # |
170 # NOTE: setting this to anything other than the default value can have |
170 # NOTE: setting this to anything other than the default value can have |
171 # serious security implications. Do not set it unless |
171 # serious security implications. Do not set it unless |
172 # you are sure you are not exposed to DNS spoofing attack. |
172 # you are sure you are not exposed to DNS spoofing attack. |
173 # |
173 # |
174 #networkaddress.cache.ttl=-1 |
174 #networkaddress.cache.ttl=-1 |
175 |
175 |
176 # The Java-level namelookup cache policy for failed lookups: |
176 # The Java-level namelookup cache policy for failed lookups: |
177 # |
177 # |
178 # any negative value: cache forever |
178 # any negative value: cache forever |
179 # any positive value: the number of seconds to cache negative lookup results |
179 # any positive value: the number of seconds to cache negative lookup results |
181 # |
181 # |
182 # In some Microsoft Windows networking environments that employ |
182 # In some Microsoft Windows networking environments that employ |
183 # the WINS name service in addition to DNS, name service lookups |
183 # the WINS name service in addition to DNS, name service lookups |
184 # that fail may take a noticeably long time to return (approx. 5 seconds). |
184 # that fail may take a noticeably long time to return (approx. 5 seconds). |
185 # For this reason the default caching policy is to maintain these |
185 # For this reason the default caching policy is to maintain these |
186 # results for 10 seconds. |
186 # results for 10 seconds. |
187 # |
187 # |
188 # |
188 # |
189 networkaddress.cache.negative.ttl=10 |
189 networkaddress.cache.negative.ttl=10 |
190 |
190 |
191 # |
191 # |
192 # Properties to configure OCSP for certificate revocation checking |
192 # Properties to configure OCSP for certificate revocation checking |
193 # |
193 # |
194 |
194 |
195 # Enable OCSP |
195 # Enable OCSP |
196 # |
196 # |
197 # By default, OCSP is not used for certificate revocation checking. |
197 # By default, OCSP is not used for certificate revocation checking. |
198 # This property enables the use of OCSP when set to the value "true". |
198 # This property enables the use of OCSP when set to the value "true". |
199 # |
199 # |
200 # NOTE: SocketPermission is required to connect to an OCSP responder. |
200 # NOTE: SocketPermission is required to connect to an OCSP responder. |
201 # |
201 # |
202 # Example, |
202 # Example, |
203 # ocsp.enable=true |
203 # ocsp.enable=true |
204 |
204 |
205 # |
205 # |
206 # Location of the OCSP responder |
206 # Location of the OCSP responder |
207 # |
207 # |
208 # By default, the location of the OCSP responder is determined implicitly |
208 # By default, the location of the OCSP responder is determined implicitly |
209 # from the certificate being validated. This property explicitly specifies |
209 # from the certificate being validated. This property explicitly specifies |
211 # Authority Information Access extension (defined in RFC 3280) is absent |
211 # Authority Information Access extension (defined in RFC 3280) is absent |
212 # from the certificate or when it requires overriding. |
212 # from the certificate or when it requires overriding. |
213 # |
213 # |
214 # Example, |
214 # Example, |
215 # ocsp.responderURL=http://ocsp.example.net:80 |
215 # ocsp.responderURL=http://ocsp.example.net:80 |
216 |
216 |
217 # |
217 # |
218 # Subject name of the OCSP responder's certificate |
218 # Subject name of the OCSP responder's certificate |
219 # |
219 # |
220 # By default, the certificate of the OCSP responder is that of the issuer |
220 # By default, the certificate of the OCSP responder is that of the issuer |
221 # of the certificate being validated. This property identifies the certificate |
221 # of the certificate being validated. This property identifies the certificate |
222 # of the OCSP responder when the default does not apply. Its value is a string |
222 # of the OCSP responder when the default does not apply. Its value is a string |
223 # distinguished name (defined in RFC 2253) which identifies a certificate in |
223 # distinguished name (defined in RFC 2253) which identifies a certificate in |
224 # the set of certificates supplied during cert path validation. In cases where |
224 # the set of certificates supplied during cert path validation. In cases where |
225 # the subject name alone is not sufficient to uniquely identify the certificate |
225 # the subject name alone is not sufficient to uniquely identify the certificate |
226 # then both the "ocsp.responderCertIssuerName" and |
226 # then both the "ocsp.responderCertIssuerName" and |
227 # "ocsp.responderCertSerialNumber" properties must be used instead. When this |
227 # "ocsp.responderCertSerialNumber" properties must be used instead. When this |
228 # property is set then those two properties are ignored. |
228 # property is set then those two properties are ignored. |
229 # |
229 # |
235 # |
235 # |
236 # By default, the certificate of the OCSP responder is that of the issuer |
236 # By default, the certificate of the OCSP responder is that of the issuer |
237 # of the certificate being validated. This property identifies the certificate |
237 # of the certificate being validated. This property identifies the certificate |
238 # of the OCSP responder when the default does not apply. Its value is a string |
238 # of the OCSP responder when the default does not apply. Its value is a string |
239 # distinguished name (defined in RFC 2253) which identifies a certificate in |
239 # distinguished name (defined in RFC 2253) which identifies a certificate in |
240 # the set of certificates supplied during cert path validation. When this |
240 # the set of certificates supplied during cert path validation. When this |
241 # property is set then the "ocsp.responderCertSerialNumber" property must also |
241 # property is set then the "ocsp.responderCertSerialNumber" property must also |
242 # be set. When the "ocsp.responderCertSubjectName" property is set then this |
242 # be set. When the "ocsp.responderCertSubjectName" property is set then this |
243 # property is ignored. |
243 # property is ignored. |
244 # |
244 # |
245 # Example, |
245 # Example, |
246 # ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp" |
246 # ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp" |
247 |
247 |
248 # |
248 # |
249 # Serial number of the OCSP responder's certificate |
249 # Serial number of the OCSP responder's certificate |
250 # |
250 # |
251 # By default, the certificate of the OCSP responder is that of the issuer |
251 # By default, the certificate of the OCSP responder is that of the issuer |
252 # of the certificate being validated. This property identifies the certificate |
252 # of the certificate being validated. This property identifies the certificate |
257 # property must also be set. When the "ocsp.responderCertSubjectName" property |
257 # property must also be set. When the "ocsp.responderCertSubjectName" property |
258 # is set then this property is ignored. |
258 # is set then this property is ignored. |
259 # |
259 # |
260 # Example, |
260 # Example, |
261 # ocsp.responderCertSerialNumber=2A:FF:00 |
261 # ocsp.responderCertSerialNumber=2A:FF:00 |
262 |
262 |
|
263 # |
|
264 # Policy for failed Kerberos KDC lookups: |
|
265 # |
|
266 # When a KDC is unavailable (network error, service failure, etc), it is |
|
267 # put inside a blacklist and accessed less often for future requests. The |
|
268 # value (case-insensitive) for this policy can be: |
|
269 # |
|
270 # tryLast |
|
271 # KDCs in the blacklist are always tried after those not on the list. |
|
272 # |
|
273 # tryLess[:max_retries,timeout] |
|
274 # KDCs in the blacklist are still tried by their order in the configuration, |
|
275 # but with smaller max_retries and timeout values. max_retries and timeout |
|
276 # are optional numerical parameters (default 1 and 5000, which means once |
|
277 # and 5 seconds). Please notes that if any of the values defined here is |
|
278 # more than what is defined in krb5.conf, it will be ignored. |
|
279 # |
|
280 # Whenever a KDC is detected as available, it is removed from the blacklist. |
|
281 # The blacklist is reset when krb5.conf is reloaded. You can add |
|
282 # refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is |
|
283 # reloaded whenever a JAAS authentication is attempted. |
|
284 # |
|
285 # Example, |
|
286 # krb5.kdc.bad.policy = tryLast |
|
287 # krb5.kdc.bad.policy = tryLess:2,2000 |
|
288 krb5.kdc.bad.policy = tryLast |
|
289 |