114 # Group.HmacSHA3 = HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512 |
114 # Group.HmacSHA3 = HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512 |
115 # |
115 # |
116 # Example: |
116 # Example: |
117 # jdk.security.provider.preferred=AES/GCM/NoPadding:SunJCE, \ |
117 # jdk.security.provider.preferred=AES/GCM/NoPadding:SunJCE, \ |
118 # MessageDigest.SHA-256:SUN, Group.HmacSHA2:SunJCE |
118 # MessageDigest.SHA-256:SUN, Group.HmacSHA2:SunJCE |
|
119 # |
|
120 #ifdef solaris-sparc |
|
121 # Optional Solaris-SPARC configuration for non-FIPS 140 configurations. |
|
122 # jdk.security.provider.preferred=AES:SunJCE, SHA1:SUN, Group.SHA2:SUN, \ |
|
123 # HmacSHA1:SunJCE, Group.HmacSHA2:SunJCE |
|
124 # |
|
125 #endif |
119 #jdk.security.provider.preferred= |
126 #jdk.security.provider.preferred= |
120 |
127 |
121 |
128 |
122 # |
129 # |
123 # Sun Provider SecureRandom seed source. |
130 # Sun Provider SecureRandom seed source. |
238 # securerandom.drbg.config=Hash_DRBG,SHA-224,112,none |
245 # securerandom.drbg.config=Hash_DRBG,SHA-224,112,none |
239 # securerandom.drbg.config=CTR_DRBG,AES-256,192,pr_and_reseed,use_df |
246 # securerandom.drbg.config=CTR_DRBG,AES-256,192,pr_and_reseed,use_df |
240 # |
247 # |
241 # The default value is an empty string, which is equivalent to |
248 # The default value is an empty string, which is equivalent to |
242 # securerandom.drbg.config=Hash_DRBG,SHA-256,128,none |
249 # securerandom.drbg.config=Hash_DRBG,SHA-256,128,none |
|
250 # |
243 securerandom.drbg.config= |
251 securerandom.drbg.config= |
244 |
252 |
245 # |
253 # |
246 # Class to instantiate as the javax.security.auth.login.Configuration |
254 # Class to instantiate as the javax.security.auth.login.Configuration |
247 # provider. |
255 # provider. |
260 # |
268 # |
261 policy.provider=sun.security.provider.PolicyFile |
269 policy.provider=sun.security.provider.PolicyFile |
262 |
270 |
263 # The default is to have a single system-wide policy file, |
271 # The default is to have a single system-wide policy file, |
264 # and a policy file in the user's home directory. |
272 # and a policy file in the user's home directory. |
|
273 # |
265 policy.url.1=file:${java.home}/conf/security/java.policy |
274 policy.url.1=file:${java.home}/conf/security/java.policy |
266 policy.url.2=file:${user.home}/.java.policy |
275 policy.url.2=file:${user.home}/.java.policy |
267 |
276 |
268 # whether or not we expand properties in the policy file |
277 # whether or not we expand properties in the policy file |
269 # if this is set to false, properties (${...}) will not be expanded in policy |
278 # if this is set to false, properties (${...}) will not be expanded in policy |
270 # files. |
279 # files. |
|
280 # |
271 policy.expandProperties=true |
281 policy.expandProperties=true |
272 |
282 |
273 # whether or not we allow an extra policy to be passed on the command line |
283 # whether or not we allow an extra policy to be passed on the command line |
274 # with -Djava.security.policy=somefile. Comment out this line to disable |
284 # with -Djava.security.policy=somefile. Comment out this line to disable |
275 # this feature. |
285 # this feature. |
|
286 # |
276 policy.allowSystemProperty=true |
287 policy.allowSystemProperty=true |
277 |
288 |
278 # whether or not we look into the IdentityScope for trusted Identities |
289 # whether or not we look into the IdentityScope for trusted Identities |
279 # when encountering a 1.1 signed JAR file. If the identity is found |
290 # when encountering a 1.1 signed JAR file. If the identity is found |
280 # and is trusted, we grant it AllPermission. Note: the default policy |
291 # and is trusted, we grant it AllPermission. Note: the default policy |
281 # provider (sun.security.provider.PolicyFile) does not support this property. |
292 # provider (sun.security.provider.PolicyFile) does not support this property. |
|
293 # |
282 policy.ignoreIdentityScope=false |
294 policy.ignoreIdentityScope=false |
283 |
295 |
284 # |
296 # |
285 # Default keystore type. |
297 # Default keystore type. |
286 # |
298 # |
357 # In some Microsoft Windows networking environments that employ |
369 # In some Microsoft Windows networking environments that employ |
358 # the WINS name service in addition to DNS, name service lookups |
370 # the WINS name service in addition to DNS, name service lookups |
359 # that fail may take a noticeably long time to return (approx. 5 seconds). |
371 # that fail may take a noticeably long time to return (approx. 5 seconds). |
360 # For this reason the default caching policy is to maintain these |
372 # For this reason the default caching policy is to maintain these |
361 # results for 10 seconds. |
373 # results for 10 seconds. |
362 # |
|
363 # |
374 # |
364 networkaddress.cache.negative.ttl=10 |
375 networkaddress.cache.negative.ttl=10 |
365 |
376 |
366 # |
377 # |
367 # Properties to configure OCSP for certificate revocation checking |
378 # Properties to configure OCSP for certificate revocation checking |
458 # reloaded whenever a JAAS authentication is attempted. |
469 # reloaded whenever a JAAS authentication is attempted. |
459 # |
470 # |
460 # Example, |
471 # Example, |
461 # krb5.kdc.bad.policy = tryLast |
472 # krb5.kdc.bad.policy = tryLast |
462 # krb5.kdc.bad.policy = tryLess:2,2000 |
473 # krb5.kdc.bad.policy = tryLess:2,2000 |
|
474 # |
463 krb5.kdc.bad.policy = tryLast |
475 krb5.kdc.bad.policy = tryLast |
464 |
476 |
|
477 # |
465 # Algorithm restrictions for certification path (CertPath) processing |
478 # Algorithm restrictions for certification path (CertPath) processing |
466 # |
479 # |
467 # In some environments, certain algorithms or key lengths may be undesirable |
480 # In some environments, certain algorithms or key lengths may be undesirable |
468 # for certification path building and validation. For example, "MD2" is |
481 # for certification path building and validation. For example, "MD2" is |
469 # generally no longer considered to be a secure hash algorithm. This section |
482 # generally no longer considered to be a secure hash algorithm. This section |
570 # |
583 # |
571 jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & denyAfter 2017-01-01, \ |
584 jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & denyAfter 2017-01-01, \ |
572 RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 |
585 RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 |
573 |
586 |
574 # |
587 # |
575 # RMI Registry Serial Filter |
|
576 # |
|
577 # The filter pattern uses the same format as jdk.serialFilter. |
|
578 # This filter can override the builtin filter if additional types need to be |
|
579 # allowed or rejected from the RMI Registry. |
|
580 # |
|
581 # Note: This property is currently used by the JDK Reference implementation. |
|
582 # It is not guaranteed to be examined and used by other implementations. |
|
583 # |
|
584 #sun.rmi.registry.registryFilter=pattern;pattern |
|
585 # |
|
586 # RMI Distributed Garbage Collector (DGC) Serial Filter |
|
587 # |
|
588 # The filter pattern uses the same format as jdk.serialFilter. |
|
589 # This filter can override the builtin filter if additional types need to be |
|
590 # allowed or rejected from the RMI DGC. |
|
591 # |
|
592 # Note: This property is currently used by the JDK Reference implementation. |
|
593 # It is not guaranteed to be examined and used by other implementations. |
|
594 # |
|
595 # The builtin DGC filter can approximately be represented as the filter pattern: |
|
596 # |
|
597 #sun.rmi.transport.dgcFilter=\ |
|
598 # java.rmi.server.ObjID;\ |
|
599 # java.rmi.server.UID;\ |
|
600 # java.rmi.dgc.VMID;\ |
|
601 # java.rmi.dgc.Lease;\ |
|
602 # maxdepth=5;maxarray=10000 |
|
603 |
|
604 # Algorithm restrictions for signed JAR files |
588 # Algorithm restrictions for signed JAR files |
605 # |
589 # |
606 # In some environments, certain algorithms or key lengths may be undesirable |
590 # In some environments, certain algorithms or key lengths may be undesirable |
607 # for signed JAR validation. For example, "MD2" is generally no longer |
591 # for signed JAR validation. For example, "MD2" is generally no longer |
608 # considered to be a secure hash algorithm. This section describes the |
592 # considered to be a secure hash algorithm. This section describes the |
637 # implementations. |
621 # implementations. |
638 # |
622 # |
639 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ |
623 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ |
640 DSA keySize < 1024 |
624 DSA keySize < 1024 |
641 |
625 |
|
626 # |
642 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security |
627 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security |
643 # (SSL/TLS/DTLS) processing |
628 # (SSL/TLS/DTLS) processing |
644 # |
629 # |
645 # In some environments, certain algorithms or key lengths may be undesirable |
630 # In some environments, certain algorithms or key lengths may be undesirable |
646 # when using SSL/TLS/DTLS. This section describes the mechanism for disabling |
631 # when using SSL/TLS/DTLS. This section describes the mechanism for disabling |
937 # If the pattern is equal to the class name, it matches. |
922 # If the pattern is equal to the class name, it matches. |
938 # Otherwise, the status is UNDECIDED. |
923 # Otherwise, the status is UNDECIDED. |
939 # |
924 # |
940 #jdk.serialFilter=pattern;pattern |
925 #jdk.serialFilter=pattern;pattern |
941 |
926 |
|
927 # |
|
928 # RMI Registry Serial Filter |
|
929 # |
|
930 # The filter pattern uses the same format as jdk.serialFilter. |
|
931 # This filter can override the builtin filter if additional types need to be |
|
932 # allowed or rejected from the RMI Registry. |
|
933 # |
|
934 # Note: This property is currently used by the JDK Reference implementation. |
|
935 # It is not guaranteed to be examined and used by other implementations. |
|
936 # |
|
937 #sun.rmi.registry.registryFilter=pattern;pattern |
|
938 # |
|
939 # RMI Distributed Garbage Collector (DGC) Serial Filter |
|
940 # |
|
941 # The filter pattern uses the same format as jdk.serialFilter. |
|
942 # This filter can override the builtin filter if additional types need to be |
|
943 # allowed or rejected from the RMI DGC. |
|
944 # |
|
945 # Note: This property is currently used by the JDK Reference implementation. |
|
946 # It is not guaranteed to be examined and used by other implementations. |
|
947 # |
|
948 # The builtin DGC filter can approximately be represented as the filter pattern: |
|
949 # |
|
950 #sun.rmi.transport.dgcFilter=\ |
|
951 # java.rmi.server.ObjID;\ |
|
952 # java.rmi.server.UID;\ |
|
953 # java.rmi.dgc.VMID;\ |
|
954 # java.rmi.dgc.Lease;\ |
|
955 # maxdepth=5;maxarray=10000 |