src/java.base/share/conf/security/java.security
author mbalao
Tue, 12 Nov 2019 00:30:55 -0300
changeset 59158 438337c846fb
parent 58612 32aff2b7585b
permissions -rw-r--r--
8233404: System property to set the number of PBE iterations in JCEKS keystores Reviewed-by: weijun
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
     1
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
     2
# This is the "master security properties file".
90ce3da70b43 Initial load
duke
parents:
diff changeset
     3
#
13159
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
     4
# An alternate java.security properties file may be specified
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
     5
# from the command line via the system property
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
     6
#
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
     7
#    -Djava.security.properties=<URL>
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
     8
#
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
     9
# This properties file appends to the master security properties file.
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    10
# If both properties files specify values for the same key, the value
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    11
# from the command-line properties file is selected, as it is the last
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    12
# one loaded.
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    13
#
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    14
# Also, if you specify
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    15
#
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    16
#    -Djava.security.properties==<URL> (2 equals),
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    17
#
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    18
# then that properties file completely overrides the master security
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    19
# properties file.
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    20
#
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    21
# To disable the ability to specify an additional properties file from
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    22
# the command line, set the key security.overridePropertiesFile
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    23
# to false in the master security properties file. It is set to true
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    24
# by default.
b2bf5f74dd06 7133344: Document the java.security.properties system property feature in the java.security file
mullan
parents: 13046
diff changeset
    25
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    26
# In this file, various security properties are set for use by
90ce3da70b43 Initial load
duke
parents:
diff changeset
    27
# java.security classes. This is where users can statically register
90ce3da70b43 Initial load
duke
parents:
diff changeset
    28
# Cryptography Package Providers ("providers" for short). The term
90ce3da70b43 Initial load
duke
parents:
diff changeset
    29
# "provider" refers to a package or set of packages that supply a
90ce3da70b43 Initial load
duke
parents:
diff changeset
    30
# concrete implementation of a subset of the cryptography aspects of
90ce3da70b43 Initial load
duke
parents:
diff changeset
    31
# the Java Security API. A provider may, for example, implement one or
90ce3da70b43 Initial load
duke
parents:
diff changeset
    32
# more digital signature algorithms or message digest algorithms.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    33
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    34
# Each provider must implement a subclass of the Provider class.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    35
# To register a provider in this master security properties file,
38948
a41d2f668f49 8157881: security.provider property description needs to be updated for modules
valeriep
parents: 38576
diff changeset
    36
# specify the provider and priority in the format
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    37
#
38948
a41d2f668f49 8157881: security.provider property description needs to be updated for modules
valeriep
parents: 38576
diff changeset
    38
#    security.provider.<n>=<provName | className>
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    39
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    40
# This declares a provider, and specifies its preference
90ce3da70b43 Initial load
duke
parents:
diff changeset
    41
# order n. The preference order is the order in which providers are
90ce3da70b43 Initial load
duke
parents:
diff changeset
    42
# searched for requested algorithms (when no specific provider is
90ce3da70b43 Initial load
duke
parents:
diff changeset
    43
# requested). The order is 1-based; 1 is the most preferred, followed
90ce3da70b43 Initial load
duke
parents:
diff changeset
    44
# by 2, and so on.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    45
#
38948
a41d2f668f49 8157881: security.provider property description needs to be updated for modules
valeriep
parents: 38576
diff changeset
    46
# <provName> must specify the name of the Provider as passed to its super
a41d2f668f49 8157881: security.provider property description needs to be updated for modules
valeriep
parents: 38576
diff changeset
    47
# class java.security.Provider constructor. This is for providers loaded
a41d2f668f49 8157881: security.provider property description needs to be updated for modules
valeriep
parents: 38576
diff changeset
    48
# through the ServiceLoader mechanism.
a41d2f668f49 8157881: security.provider property description needs to be updated for modules
valeriep
parents: 38576
diff changeset
    49
#
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    50
# <className> must specify the subclass of the Provider class whose
90ce3da70b43 Initial load
duke
parents:
diff changeset
    51
# constructor sets the values of various properties that are required
90ce3da70b43 Initial load
duke
parents:
diff changeset
    52
# for the Java Security API to look up the algorithms or other
38948
a41d2f668f49 8157881: security.provider property description needs to be updated for modules
valeriep
parents: 38576
diff changeset
    53
# facilities implemented by the provider. This is for providers loaded
a41d2f668f49 8157881: security.provider property description needs to be updated for modules
valeriep
parents: 38576
diff changeset
    54
# through classpath.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    55
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    56
# Note: Providers can be dynamically registered instead by calls to
90ce3da70b43 Initial load
duke
parents:
diff changeset
    57
# either the addProvider or insertProviderAt method in the Security
90ce3da70b43 Initial load
duke
parents:
diff changeset
    58
# class.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    59
90ce3da70b43 Initial load
duke
parents:
diff changeset
    60
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
    61
# List of providers and their preference orders (see above):
90ce3da70b43 Initial load
duke
parents:
diff changeset
    62
#
25974
850dc36ea410 6997010: Consolidate java.security files into one file with modifications
weijun
parents: 25543
diff changeset
    63
#ifdef solaris
36511
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    64
security.provider.tbd=OracleUcrypto
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    65
security.provider.tbd=SunPKCS11 ${java.home}/conf/security/sunpkcs11-solaris.cfg
25974
850dc36ea410 6997010: Consolidate java.security files into one file with modifications
weijun
parents: 25543
diff changeset
    66
#endif
36511
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    67
security.provider.tbd=SUN
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    68
security.provider.tbd=SunRsaSign
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    69
security.provider.tbd=SunEC
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    70
security.provider.tbd=SunJSSE
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    71
security.provider.tbd=SunJCE
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    72
security.provider.tbd=SunJGSS
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    73
security.provider.tbd=SunSASL
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    74
security.provider.tbd=XMLDSig
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    75
security.provider.tbd=SunPCSC
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    76
security.provider.tbd=JdkLDAP
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    77
security.provider.tbd=JdkSASL
25974
850dc36ea410 6997010: Consolidate java.security files into one file with modifications
weijun
parents: 25543
diff changeset
    78
#ifdef windows
36511
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    79
security.provider.tbd=SunMSCAPI
25974
850dc36ea410 6997010: Consolidate java.security files into one file with modifications
weijun
parents: 25543
diff changeset
    80
#endif
850dc36ea410 6997010: Consolidate java.security files into one file with modifications
weijun
parents: 25543
diff changeset
    81
#ifdef macosx
36511
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    82
security.provider.tbd=Apple
25974
850dc36ea410 6997010: Consolidate java.security files into one file with modifications
weijun
parents: 25543
diff changeset
    83
#endif
31270
e6470b24700d 7191662: JCE providers should be located via ServiceLoader
valeriep
parents: 30904
diff changeset
    84
#ifndef solaris
36511
9d0388c6b336 8142968: Module System implementation
alanb
parents: 36242
diff changeset
    85
security.provider.tbd=SunPKCS11
31270
e6470b24700d 7191662: JCE providers should be located via ServiceLoader
valeriep
parents: 30904
diff changeset
    86
#endif
e6470b24700d 7191662: JCE providers should be located via ServiceLoader
valeriep
parents: 30904
diff changeset
    87
33241
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    88
#
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    89
# A list of preferred providers for specific algorithms. These providers will
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    90
# be searched for matching algorithms before the list of registered providers.
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    91
# Entries containing errors (parsing, etc) will be ignored. Use the
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    92
# -Djava.security.debug=jca property to debug these errors.
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    93
#
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    94
# The property is a comma-separated list of serviceType.algorithm:provider
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    95
# entries. The serviceType (example: "MessageDigest") is optional, and if
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    96
# not specified, the algorithm applies to all service types that support it.
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    97
# The algorithm is the standard algorithm name or transformation.
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    98
# Transformations can be specified in their full standard name
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
    99
# (ex: AES/CBC/PKCS5Padding), or as partial matches (ex: AES, AES/CBC).
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
   100
# The provider is the name of the provider. Any provider that does not
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
   101
# also appear in the registered list will be ignored.
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
   102
#
38435
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   103
# There is a special serviceType for this property only to group a set of
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   104
# algorithms together. The type is "Group" and is followed by an algorithm
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   105
# keyword. Groups are to simplify and lessen the entries on the property
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   106
# line. Current groups are:
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   107
#   Group.SHA2 = SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   108
#   Group.HmacSHA2 = HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   109
#   Group.SHA2RSA = SHA224withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   110
#   Group.SHA2DSA = SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   111
#   Group.SHA2ECDSA = SHA224withECDSA, SHA256withECDSA, SHA384withECDSA, \
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   112
#                     SHA512withECDSA
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   113
#   Group.SHA3 = SHA3-224, SHA3-256, SHA3-384, SHA3-512
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   114
#   Group.HmacSHA3 = HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   115
#
33241
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
   116
# Example:
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
   117
#   jdk.security.provider.preferred=AES/GCM/NoPadding:SunJCE, \
38435
292ad46c1bf1 8155847: SHA groups needed for jdk.security.provider.preferred
ascarpino
parents: 38419
diff changeset
   118
#         MessageDigest.SHA-256:SUN, Group.HmacSHA2:SunJCE
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   119
#
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   120
#ifdef solaris-sparc
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   121
# Optional Solaris-SPARC configuration for non-FIPS 140 configurations.
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   122
#   jdk.security.provider.preferred=AES:SunJCE, SHA1:SUN, Group.SHA2:SUN, \
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   123
#   HmacSHA1:SunJCE, Group.HmacSHA2:SunJCE
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   124
#
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   125
#endif
39339
3a9850ed77e8 8159180: Remove default setting for jdk.security.provider.preferred
ascarpino
parents: 38948
diff changeset
   126
#jdk.security.provider.preferred=
33241
27eb2d6abda9 8133151: Preferred provider configuration for JCE
ascarpino
parents: 32292
diff changeset
   127
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   128
90ce3da70b43 Initial load
duke
parents:
diff changeset
   129
#
16915
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   130
# Sun Provider SecureRandom seed source.
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   131
#
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   132
# Select the primary source of seed data for the "NativePRNG", "SHA1PRNG"
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   133
# and "DRBG" SecureRandom implementations in the "Sun" provider.
16915
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   134
# (Other SecureRandom implementations might also use this property.)
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   135
#
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   136
# On Unix-like systems (for example, Solaris/Linux/MacOS), the
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   137
# "NativePRNG", "SHA1PRNG" and "DRBG" implementations obtains seed data from
16915
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   138
# special device files such as file:/dev/random.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   139
#
16915
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   140
# On Windows systems, specifying the URLs "file:/dev/random" or
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   141
# "file:/dev/urandom" will enable the native Microsoft CryptoAPI seeding
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   142
# mechanism for SHA1PRNG and DRBG.
16915
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   143
#
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   144
# By default, an attempt is made to use the entropy gathering device
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   145
# specified by the "securerandom.source" Security property.  If an
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   146
# exception occurs while accessing the specified URL:
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   147
#
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   148
#     NativePRNG:
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   149
#         a default value of /dev/random will be used.  If neither
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   150
#         are available, the implementation will be disabled.
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   151
#         "file" is the only currently supported protocol type.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   152
#
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   153
#     SHA1PRNG and DRBG:
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   154
#         the traditional system/thread activity algorithm will be used.
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   155
#
16915
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   156
# The entropy gathering device can also be specified with the System
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   157
# property "java.security.egd". For example:
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   158
#
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   159
#   % java -Djava.security.egd=file:/dev/random MainClass
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   160
#
16915
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   161
# Specifying this System property will override the
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   162
# "securerandom.source" Security property.
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   163
#
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   164
# In addition, if "file:/dev/random" or "file:/dev/urandom" is
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   165
# specified, the "NativePRNG" implementation will be more preferred than
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   166
# DRBG and SHA1PRNG in the Sun provider.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   167
#
16915
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   168
securerandom.source=file:/dev/random
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   169
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   170
#
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   171
# A list of known strong SecureRandom implementations.
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   172
#
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   173
# To help guide applications in selecting a suitable strong
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   174
# java.security.SecureRandom implementation, Java distributions should
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   175
# indicate a list of known strong implementations using the property.
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   176
#
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   177
# This is a comma-separated list of algorithm and/or algorithm:provider
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   178
# entries.
675d1569af3e 6425477: Better support for generation of high entropy random numbers
wetmore
parents: 16744
diff changeset
   179
#
25974
850dc36ea410 6997010: Consolidate java.security files into one file with modifications
weijun
parents: 25543
diff changeset
   180
#ifdef windows
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   181
securerandom.strongAlgorithms=Windows-PRNG:SunMSCAPI,DRBG:SUN
25974
850dc36ea410 6997010: Consolidate java.security files into one file with modifications
weijun
parents: 25543
diff changeset
   182
#endif
850dc36ea410 6997010: Consolidate java.security files into one file with modifications
weijun
parents: 25543
diff changeset
   183
#ifndef windows
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   184
securerandom.strongAlgorithms=NativePRNGBlocking:SUN,DRBG:SUN
25974
850dc36ea410 6997010: Consolidate java.security files into one file with modifications
weijun
parents: 25543
diff changeset
   185
#endif
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   186
90ce3da70b43 Initial load
duke
parents:
diff changeset
   187
#
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   188
# Sun provider DRBG configuration and default instantiation request.
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   189
#
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   190
# NIST SP 800-90Ar1 lists several DRBG mechanisms. Each can be configured
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   191
# with a DRBG algorithm name, and can be instantiated with a security strength,
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   192
# prediction resistance support, etc. This property defines the configuration
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   193
# and the default instantiation request of "DRBG" SecureRandom implementations
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   194
# in the SUN provider. (Other DRBG implementations can also use this property.)
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   195
# Applications can request different instantiation parameters like security
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   196
# strength, capability, personalization string using one of the
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   197
# getInstance(...,SecureRandomParameters,...) methods with a
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   198
# DrbgParameters.Instantiation argument, but other settings such as the
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   199
# mechanism and DRBG algorithm names are not currently configurable by any API.
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   200
#
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   201
# Please note that the SUN implementation of DRBG always supports reseeding.
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   202
#
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   203
# The value of this property is a comma-separated list of all configurable
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   204
# aspects. The aspects can appear in any order but the same aspect can only
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   205
# appear at most once. Its BNF-style definition is:
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   206
#
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   207
#   Value:
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   208
#     aspect { "," aspect }
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   209
#
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   210
#   aspect:
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   211
#     mech_name | algorithm_name | strength | capability | df
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   212
#
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   213
#   // The DRBG mechanism to use. Default "Hash_DRBG"
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   214
#   mech_name:
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   215
#     "Hash_DRBG" | "HMAC_DRBG" | "CTR_DRBG"
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   216
#
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   217
#   // The DRBG algorithm name. The "SHA-***" names are for Hash_DRBG and
37896
cd841af7dcd0 8156213: Remove SHA-1 and 3KeyTDEA algorithms from DRBG
weijun
parents: 37796
diff changeset
   218
#   // HMAC_DRBG, default "SHA-256". The "AES-***" names are for CTR_DRBG,
cd841af7dcd0 8156213: Remove SHA-1 and 3KeyTDEA algorithms from DRBG
weijun
parents: 37796
diff changeset
   219
#   // default "AES-128" when using the limited cryptographic or "AES-256"
cd841af7dcd0 8156213: Remove SHA-1 and 3KeyTDEA algorithms from DRBG
weijun
parents: 37796
diff changeset
   220
#   // when using the unlimited.
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   221
#   algorithm_name:
37896
cd841af7dcd0 8156213: Remove SHA-1 and 3KeyTDEA algorithms from DRBG
weijun
parents: 37796
diff changeset
   222
#     "SHA-224" | "SHA-512/224" | "SHA-256" |
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   223
#     "SHA-512/256" | "SHA-384" | "SHA-512" |
37896
cd841af7dcd0 8156213: Remove SHA-1 and 3KeyTDEA algorithms from DRBG
weijun
parents: 37796
diff changeset
   224
#     "AES-128" | "AES-192" | "AES-256"
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   225
#
37896
cd841af7dcd0 8156213: Remove SHA-1 and 3KeyTDEA algorithms from DRBG
weijun
parents: 37796
diff changeset
   226
#   // Security strength requested. Default "128"
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   227
#   strength:
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   228
#     "112" | "128" | "192" | "256"
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   229
#
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   230
#   // Prediction resistance and reseeding request. Default "none"
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   231
#   //  "pr_and_reseed" - Both prediction resistance and reseeding
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   232
#   //                    support requested
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   233
#   //  "reseed_only"   - Only reseeding support requested
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   234
#   //  "none"          - Neither prediction resistance not reseeding
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   235
#   //                    support requested
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   236
#   pr:
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   237
#     "pr_and_reseed" | "reseed_only" | "none"
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   238
#
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   239
#   // Whether a derivation function should be used. only applicable
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   240
#   // to CTR_DRBG. Default "use_df"
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   241
#   df:
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   242
#     "use_df" | "no_df"
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   243
#
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   244
# Examples,
37896
cd841af7dcd0 8156213: Remove SHA-1 and 3KeyTDEA algorithms from DRBG
weijun
parents: 37796
diff changeset
   245
#   securerandom.drbg.config=Hash_DRBG,SHA-224,112,none
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   246
#   securerandom.drbg.config=CTR_DRBG,AES-256,192,pr_and_reseed,use_df
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   247
#
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   248
# The default value is an empty string, which is equivalent to
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   249
#   securerandom.drbg.config=Hash_DRBG,SHA-256,128,none
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   250
#
37796
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   251
securerandom.drbg.config=
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   252
256c45c4af5d 8051408: NIST SP 800-90A SecureRandom implementations
weijun
parents: 37726
diff changeset
   253
#
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   254
# Class to instantiate as the javax.security.auth.login.Configuration
90ce3da70b43 Initial load
duke
parents:
diff changeset
   255
# provider.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   256
#
19385
a7b34a4b1fcb 8016848: javax_security/auth/login tests fail in compact 1 and 2 profiles
mullan
parents: 18828
diff changeset
   257
login.configuration.provider=sun.security.provider.ConfigFile
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   258
90ce3da70b43 Initial load
duke
parents:
diff changeset
   259
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   260
# Default login configuration file
90ce3da70b43 Initial load
duke
parents:
diff changeset
   261
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   262
#login.config.url.1=file:${user.home}/.java.login.config
90ce3da70b43 Initial load
duke
parents:
diff changeset
   263
90ce3da70b43 Initial load
duke
parents:
diff changeset
   264
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   265
# Class to instantiate as the system Policy. This is the name of the class
30444
054604aed79c 8075706: Policy implementation does not allow policy.provider to be on the class path
mullan
parents: 29902
diff changeset
   266
# that will be used as the Policy object. The system class loader is used to
054604aed79c 8075706: Policy implementation does not allow policy.provider to be on the class path
mullan
parents: 29902
diff changeset
   267
# locate this class.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   268
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   269
policy.provider=sun.security.provider.PolicyFile
90ce3da70b43 Initial load
duke
parents:
diff changeset
   270
90ce3da70b43 Initial load
duke
parents:
diff changeset
   271
# The default is to have a single system-wide policy file,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   272
# and a policy file in the user's home directory.
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   273
#
27565
729f9700483a 8049367: Modular Run-Time Images
chegar
parents: 26967
diff changeset
   274
policy.url.1=file:${java.home}/conf/security/java.policy
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   275
policy.url.2=file:${user.home}/.java.policy
90ce3da70b43 Initial load
duke
parents:
diff changeset
   276
90ce3da70b43 Initial load
duke
parents:
diff changeset
   277
# whether or not we expand properties in the policy file
90ce3da70b43 Initial load
duke
parents:
diff changeset
   278
# if this is set to false, properties (${...}) will not be expanded in policy
90ce3da70b43 Initial load
duke
parents:
diff changeset
   279
# files.
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   280
#
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   281
policy.expandProperties=true
90ce3da70b43 Initial load
duke
parents:
diff changeset
   282
90ce3da70b43 Initial load
duke
parents:
diff changeset
   283
# whether or not we allow an extra policy to be passed on the command line
90ce3da70b43 Initial load
duke
parents:
diff changeset
   284
# with -Djava.security.policy=somefile. Comment out this line to disable
90ce3da70b43 Initial load
duke
parents:
diff changeset
   285
# this feature.
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   286
#
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   287
policy.allowSystemProperty=true
90ce3da70b43 Initial load
duke
parents:
diff changeset
   288
90ce3da70b43 Initial load
duke
parents:
diff changeset
   289
# whether or not we look into the IdentityScope for trusted Identities
90ce3da70b43 Initial load
duke
parents:
diff changeset
   290
# when encountering a 1.1 signed JAR file. If the identity is found
30790
f81f9725a1c6 8065233: Remove Policy provider code that synchronizes on identityPolicyEntries List
mullan
parents: 30506
diff changeset
   291
# and is trusted, we grant it AllPermission. Note: the default policy
f81f9725a1c6 8065233: Remove Policy provider code that synchronizes on identityPolicyEntries List
mullan
parents: 30506
diff changeset
   292
# provider (sun.security.provider.PolicyFile) does not support this property.
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   293
#
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   294
policy.ignoreIdentityScope=false
90ce3da70b43 Initial load
duke
parents:
diff changeset
   295
90ce3da70b43 Initial load
duke
parents:
diff changeset
   296
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   297
# Default keystore type.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   298
#
28243
47080f9ae750 8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents: 27565
diff changeset
   299
keystore.type=pkcs12
47080f9ae750 8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents: 27565
diff changeset
   300
47080f9ae750 8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents: 27565
diff changeset
   301
#
47080f9ae750 8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents: 27565
diff changeset
   302
# Controls compatibility mode for JKS and PKCS12 keystore types.
47080f9ae750 8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents: 27565
diff changeset
   303
#
47080f9ae750 8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents: 27565
diff changeset
   304
# When set to 'true', both JKS and PKCS12 keystore types support loading
47080f9ae750 8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents: 27565
diff changeset
   305
# keystore files in either JKS or PKCS12 format. When set to 'false' the
47080f9ae750 8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents: 27565
diff changeset
   306
# JKS keystore type supports loading only JKS keystore files and the PKCS12
47080f9ae750 8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents: 27565
diff changeset
   307
# keystore type supports loading only PKCS12 keystore files.
47080f9ae750 8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents: 27565
diff changeset
   308
#
47080f9ae750 8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents: 27565
diff changeset
   309
keystore.type.compat=true
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   310
90ce3da70b43 Initial load
duke
parents:
diff changeset
   311
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   312
# List of comma-separated packages that start with or equal this string
43221
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   313
# will cause a security exception to be thrown when passed to the
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   314
# SecurityManager::checkPackageAccess method unless the corresponding
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   315
# RuntimePermission("accessClassInPackage."+package) has been granted.
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   316
#
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   317
package.access=sun.misc.,\
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   318
               sun.reflect.,\
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   319
90ce3da70b43 Initial load
duke
parents:
diff changeset
   320
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   321
# List of comma-separated packages that start with or equal this string
43221
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   322
# will cause a security exception to be thrown when passed to the
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   323
# SecurityManager::checkPackageDefinition method unless the corresponding
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   324
# RuntimePermission("defineClassInPackage."+package) has been granted.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   325
#
43221
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   326
# By default, none of the class loaders supplied with the JDK call
13035
27b066eebe1f 7145239: Finetune package definition restriction
mullan
parents: 8769
diff changeset
   327
# checkPackageDefinition.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   328
#
43221
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   329
package.definition=sun.misc.,\
eef9383d25cb 8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
mullan
parents: 43211
diff changeset
   330
                   sun.reflect.,\
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   331
90ce3da70b43 Initial load
duke
parents:
diff changeset
   332
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   333
# Determines whether this properties file can be appended to
90ce3da70b43 Initial load
duke
parents:
diff changeset
   334
# or overridden on the command line via -Djava.security.properties
90ce3da70b43 Initial load
duke
parents:
diff changeset
   335
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   336
security.overridePropertiesFile=true
90ce3da70b43 Initial load
duke
parents:
diff changeset
   337
90ce3da70b43 Initial load
duke
parents:
diff changeset
   338
#
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   339
# Determines the default key and trust manager factory algorithms for
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   340
# the javax.net.ssl package.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   341
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   342
ssl.KeyManagerFactory.algorithm=SunX509
90ce3da70b43 Initial load
duke
parents:
diff changeset
   343
ssl.TrustManagerFactory.algorithm=PKIX
90ce3da70b43 Initial load
duke
parents:
diff changeset
   344
90ce3da70b43 Initial load
duke
parents:
diff changeset
   345
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   346
# The Java-level namelookup cache policy for successful lookups:
90ce3da70b43 Initial load
duke
parents:
diff changeset
   347
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   348
# any negative value: caching forever
90ce3da70b43 Initial load
duke
parents:
diff changeset
   349
# any positive value: the number of seconds to cache an address for
90ce3da70b43 Initial load
duke
parents:
diff changeset
   350
# zero: do not cache
90ce3da70b43 Initial load
duke
parents:
diff changeset
   351
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   352
# default value is forever (FOREVER). For security reasons, this
90ce3da70b43 Initial load
duke
parents:
diff changeset
   353
# caching is made forever when a security manager is set. When a security
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   354
# manager is not set, the default behavior in this implementation
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   355
# is to cache for 30 seconds.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   356
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   357
# NOTE: setting this to anything other than the default value can have
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   358
#       serious security implications. Do not set it unless
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   359
#       you are sure you are not exposed to DNS spoofing attack.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   360
#
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   361
#networkaddress.cache.ttl=-1
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   362
90ce3da70b43 Initial load
duke
parents:
diff changeset
   363
# The Java-level namelookup cache policy for failed lookups:
90ce3da70b43 Initial load
duke
parents:
diff changeset
   364
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   365
# any negative value: cache forever
90ce3da70b43 Initial load
duke
parents:
diff changeset
   366
# any positive value: the number of seconds to cache negative lookup results
90ce3da70b43 Initial load
duke
parents:
diff changeset
   367
# zero: do not cache
90ce3da70b43 Initial load
duke
parents:
diff changeset
   368
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   369
# In some Microsoft Windows networking environments that employ
90ce3da70b43 Initial load
duke
parents:
diff changeset
   370
# the WINS name service in addition to DNS, name service lookups
90ce3da70b43 Initial load
duke
parents:
diff changeset
   371
# that fail may take a noticeably long time to return (approx. 5 seconds).
90ce3da70b43 Initial load
duke
parents:
diff changeset
   372
# For this reason the default caching policy is to maintain these
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   373
# results for 10 seconds.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   374
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   375
networkaddress.cache.negative.ttl=10
90ce3da70b43 Initial load
duke
parents:
diff changeset
   376
90ce3da70b43 Initial load
duke
parents:
diff changeset
   377
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   378
# Properties to configure OCSP for certificate revocation checking
90ce3da70b43 Initial load
duke
parents:
diff changeset
   379
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   380
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   381
# Enable OCSP
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   382
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   383
# By default, OCSP is not used for certificate revocation checking.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   384
# This property enables the use of OCSP when set to the value "true".
90ce3da70b43 Initial load
duke
parents:
diff changeset
   385
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   386
# NOTE: SocketPermission is required to connect to an OCSP responder.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   387
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   388
# Example,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   389
#   ocsp.enable=true
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   390
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   391
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   392
# Location of the OCSP responder
90ce3da70b43 Initial load
duke
parents:
diff changeset
   393
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   394
# By default, the location of the OCSP responder is determined implicitly
90ce3da70b43 Initial load
duke
parents:
diff changeset
   395
# from the certificate being validated. This property explicitly specifies
90ce3da70b43 Initial load
duke
parents:
diff changeset
   396
# the location of the OCSP responder. The property is used when the
26967
c182469301ee 8037550: Update RFC references in javadoc to RFC 5280
juh
parents: 25991
diff changeset
   397
# Authority Information Access extension (defined in RFC 5280) is absent
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   398
# from the certificate or when it requires overriding.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   399
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   400
# Example,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   401
#   ocsp.responderURL=http://ocsp.example.net:80
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   402
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   403
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   404
# Subject name of the OCSP responder's certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   405
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   406
# By default, the certificate of the OCSP responder is that of the issuer
90ce3da70b43 Initial load
duke
parents:
diff changeset
   407
# of the certificate being validated. This property identifies the certificate
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   408
# of the OCSP responder when the default does not apply. Its value is a string
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   409
# distinguished name (defined in RFC 2253) which identifies a certificate in
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   410
# the set of certificates supplied during cert path validation. In cases where
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   411
# the subject name alone is not sufficient to uniquely identify the certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   412
# then both the "ocsp.responderCertIssuerName" and
90ce3da70b43 Initial load
duke
parents:
diff changeset
   413
# "ocsp.responderCertSerialNumber" properties must be used instead. When this
90ce3da70b43 Initial load
duke
parents:
diff changeset
   414
# property is set then those two properties are ignored.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   415
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   416
# Example,
40558
ec1dec20d88f 8024714: In java.security file, ocsp.responderCertSubjectName should not contain quotes
mullan
parents: 40551
diff changeset
   417
#   ocsp.responderCertSubjectName=CN=OCSP Responder, O=XYZ Corp
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   418
90ce3da70b43 Initial load
duke
parents:
diff changeset
   419
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   420
# Issuer name of the OCSP responder's certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   421
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   422
# By default, the certificate of the OCSP responder is that of the issuer
90ce3da70b43 Initial load
duke
parents:
diff changeset
   423
# of the certificate being validated. This property identifies the certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   424
# of the OCSP responder when the default does not apply. Its value is a string
90ce3da70b43 Initial load
duke
parents:
diff changeset
   425
# distinguished name (defined in RFC 2253) which identifies a certificate in
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   426
# the set of certificates supplied during cert path validation. When this
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   427
# property is set then the "ocsp.responderCertSerialNumber" property must also
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   428
# be set. When the "ocsp.responderCertSubjectName" property is set then this
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   429
# property is ignored.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   430
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   431
# Example,
40558
ec1dec20d88f 8024714: In java.security file, ocsp.responderCertSubjectName should not contain quotes
mullan
parents: 40551
diff changeset
   432
#   ocsp.responderCertIssuerName=CN=Enterprise CA, O=XYZ Corp
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   433
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   434
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   435
# Serial number of the OCSP responder's certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   436
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   437
# By default, the certificate of the OCSP responder is that of the issuer
90ce3da70b43 Initial load
duke
parents:
diff changeset
   438
# of the certificate being validated. This property identifies the certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   439
# of the OCSP responder when the default does not apply. Its value is a string
90ce3da70b43 Initial load
duke
parents:
diff changeset
   440
# of hexadecimal digits (colon or space separators may be present) which
90ce3da70b43 Initial load
duke
parents:
diff changeset
   441
# identifies a certificate in the set of certificates supplied during cert path
90ce3da70b43 Initial load
duke
parents:
diff changeset
   442
# validation. When this property is set then the "ocsp.responderCertIssuerName"
90ce3da70b43 Initial load
duke
parents:
diff changeset
   443
# property must also be set. When the "ocsp.responderCertSubjectName" property
90ce3da70b43 Initial load
duke
parents:
diff changeset
   444
# is set then this property is ignored.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   445
#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   446
# Example,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   447
#   ocsp.responderCertSerialNumber=2A:FF:00
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   448
6311
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   449
#
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   450
# Policy for failed Kerberos KDC lookups:
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   451
#
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   452
# When a KDC is unavailable (network error, service failure, etc), it is
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   453
# put inside a blacklist and accessed less often for future requests. The
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   454
# value (case-insensitive) for this policy can be:
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   455
#
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   456
# tryLast
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   457
#    KDCs in the blacklist are always tried after those not on the list.
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   458
#
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   459
# tryLess[:max_retries,timeout]
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   460
#    KDCs in the blacklist are still tried by their order in the configuration,
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   461
#    but with smaller max_retries and timeout values. max_retries and timeout
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   462
#    are optional numerical parameters (default 1 and 5000, which means once
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   463
#    and 5 seconds). Please notes that if any of the values defined here is
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   464
#    more than what is defined in krb5.conf, it will be ignored.
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   465
#
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   466
# Whenever a KDC is detected as available, it is removed from the blacklist.
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   467
# The blacklist is reset when krb5.conf is reloaded. You can add
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   468
# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   469
# reloaded whenever a JAAS authentication is attempted.
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   470
#
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   471
# Example,
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   472
#   krb5.kdc.bad.policy = tryLast
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   473
#   krb5.kdc.bad.policy = tryLess:2,2000
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   474
#
6311
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   475
krb5.kdc.bad.policy = tryLast
1448d18935b5 6976536: Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
weijun
parents: 3492
diff changeset
   476
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   477
#
55258
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   478
# Kerberos cross-realm referrals (RFC 6806)
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   479
#
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   480
# OpenJDK's Kerberos client supports cross-realm referrals as defined in
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   481
# RFC 6806. This allows to setup more dynamic environments in which clients
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   482
# do not need to know in advance how to reach the realm of a target principal
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   483
# (either a user or service).
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   484
#
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   485
# When a client issues an AS or a TGS request, the "canonicalize" option
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   486
# is set to announce support of this feature. A KDC server may fulfill the
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   487
# request or reply referring the client to a different one. If referred,
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   488
# the client will issue a new request and the cycle repeats.
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   489
#
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   490
# In addition to referrals, the "canonicalize" option allows the KDC server
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   491
# to change the client name in response to an AS request. For security reasons,
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   492
# RFC 6806 (section 11) FAST scheme is enforced.
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   493
#
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   494
# Disable Kerberos cross-realm referrals. Value may be overwritten with a
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   495
# System property (-Dsun.security.krb5.disableReferrals).
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   496
sun.security.krb5.disableReferrals=false
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   497
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   498
# Maximum number of AS or TGS referrals to avoid infinite loops. Value may
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   499
# be overwritten with a System property (-Dsun.security.krb5.maxReferrals).
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   500
sun.security.krb5.maxReferrals=5
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   501
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents: 55039
diff changeset
   502
#
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   503
# Algorithm restrictions for certification path (CertPath) processing
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   504
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   505
# In some environments, certain algorithms or key lengths may be undesirable
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   506
# for certification path building and validation.  For example, "MD2" is
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   507
# generally no longer considered to be a secure hash algorithm.  This section
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   508
# describes the mechanism for disabling algorithms based on algorithm name
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   509
# and/or key length.  This includes algorithms used in certificates, as well
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   510
# as revocation information such as CRLs and signed OCSP Responses.
38576
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   511
# The syntax of the disabled algorithm string is described as follows:
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   512
#   DisabledAlgorithms:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   513
#       " DisabledAlgorithm { , DisabledAlgorithm } "
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   514
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   515
#   DisabledAlgorithm:
37726
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   516
#       AlgorithmName [Constraint] { '&' Constraint }
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   517
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   518
#   AlgorithmName:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   519
#       (see below)
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   520
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   521
#   Constraint:
43701
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   522
#       KeySizeConstraint | CAConstraint | DenyAfterConstraint |
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   523
#       UsageConstraint
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   524
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   525
#   KeySizeConstraint:
38576
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   526
#       keySize Operator KeyLength
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   527
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   528
#   Operator:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   529
#       <= | < | == | != | >= | >
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   530
#
38576
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   531
#   KeyLength:
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   532
#       Integer value of the algorithm's key length in bits
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   533
#
38576
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   534
#   CAConstraint:
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   535
#       jdkCA
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   536
#
38576
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   537
#   DenyAfterConstraint:
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   538
#       denyAfter YYYY-MM-DD
37726
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   539
#
43701
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   540
#   UsageConstraint:
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   541
#       usage [TLSServer] [TLSClient] [SignedJAR]
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   542
#
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   543
# The "AlgorithmName" is the standard algorithm name of the disabled
57718
a93b7b28f644 8226374: Restrict TLS signature schemes and named groups
xuelei
parents: 55258
diff changeset
   544
# algorithm. See the Java Security Standard Algorithm Names Specification
a93b7b28f644 8226374: Restrict TLS signature schemes and named groups
xuelei
parents: 55258
diff changeset
   545
# for information about Standard Algorithm Names.  Matching is
a93b7b28f644 8226374: Restrict TLS signature schemes and named groups
xuelei
parents: 55258
diff changeset
   546
# performed using a case-insensitive sub-element matching rule.  (For
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   547
# example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   548
# "ECDSA" for signatures.)  If the assertion "AlgorithmName" is a
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   549
# sub-element of the certificate algorithm name, the algorithm will be
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   550
# rejected during certification path building and validation.  For example,
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   551
# the assertion algorithm name "DSA" will disable all certificate algorithms
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   552
# that rely on DSA, such as NONEwithDSA, SHA1withDSA.  However, the assertion
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   553
# will not disable algorithms related to "ECDSA".
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   554
#
38576
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   555
# A "Constraint" defines restrictions on the keys and/or certificates for
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   556
# a specified AlgorithmName:
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   557
#
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   558
#   KeySizeConstraint:
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   559
#     keySize Operator KeyLength
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   560
#       The constraint requires a key of a valid size range if the
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   561
#       "AlgorithmName" is of a key algorithm.  The "KeyLength" indicates
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   562
#       the key size specified in number of bits.  For example,
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   563
#       "RSA keySize <= 1024" indicates that any RSA key with key size less
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   564
#       than or equal to 1024 bits should be disabled, and
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   565
#       "RSA keySize < 1024, RSA keySize > 2048" indicates that any RSA key
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   566
#       with key size less than 1024 or greater than 2048 should be disabled.
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   567
#       This constraint is only used on algorithms that have a key size.
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   568
#
38576
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   569
#   CAConstraint:
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   570
#     jdkCA
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   571
#       This constraint prohibits the specified algorithm only if the
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   572
#       algorithm is used in a certificate chain that terminates at a marked
45992
38bdf44057b9 8179998: Clear certificate chain connections
ascarpino
parents: 44249
diff changeset
   573
#       trust anchor in the lib/security/cacerts keystore.  If the jdkCA
38bdf44057b9 8179998: Clear certificate chain connections
ascarpino
parents: 44249
diff changeset
   574
#       constraint is not set, then all chains using the specified algorithm
38576
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   575
#       are restricted.  jdkCA may only be used once in a DisabledAlgorithm
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   576
#       expression.
45992
38bdf44057b9 8179998: Clear certificate chain connections
ascarpino
parents: 44249
diff changeset
   577
#       Example:  To apply this constraint to SHA-1 certificates, include
38bdf44057b9 8179998: Clear certificate chain connections
ascarpino
parents: 44249
diff changeset
   578
#       the following:  "SHA1 jdkCA"
37726
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   579
#
38576
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   580
#   DenyAfterConstraint:
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   581
#     denyAfter YYYY-MM-DD
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   582
#       This constraint prohibits a certificate with the specified algorithm
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   583
#       from being used after the date regardless of the certificate's
45992
38bdf44057b9 8179998: Clear certificate chain connections
ascarpino
parents: 44249
diff changeset
   584
#       validity.  JAR files that are signed and timestamped before the
38576
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   585
#       constraint date with certificates containing the disabled algorithm
45992
38bdf44057b9 8179998: Clear certificate chain connections
ascarpino
parents: 44249
diff changeset
   586
#       will not be restricted.  The date is processed in the UTC timezone.
38bdf44057b9 8179998: Clear certificate chain connections
ascarpino
parents: 44249
diff changeset
   587
#       This constraint can only be used once in a DisabledAlgorithm
38576
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   588
#       expression.
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   589
#       Example:  To deny usage of RSA 2048 bit certificates after Feb 3 2020,
ccaac80108c5 8154005: Add algorithm constraint that specifies the restriction date
ascarpino
parents: 38435
diff changeset
   590
#       use the following:  "RSA keySize == 2048 & denyAfter 2020-02-03"
37726
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   591
#
43701
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   592
#   UsageConstraint:
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   593
#     usage [TLSServer] [TLSClient] [SignedJAR]
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   594
#       This constraint prohibits the specified algorithm for
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   595
#       a specified usage.  This should be used when disabling an algorithm
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   596
#       for all usages is not practical. 'TLSServer' restricts the algorithm
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   597
#       in TLS server certificate chains when server authentication is
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   598
#       performed. 'TLSClient' restricts the algorithm in TLS client
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   599
#       certificate chains when client authentication is performed.
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   600
#       'SignedJAR' constrains use of certificates in signed jar files.
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   601
#       The usage type follows the keyword and more than one usage type can
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   602
#       be specified with a whitespace delimiter.
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   603
#       Example:  "SHA1 usage TLSServer TLSClient"
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   604
#
37726
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   605
# When an algorithm must satisfy more than one constraint, it must be
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   606
# delimited by an ampersand '&'.  For example, to restrict certificates in a
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   607
# chain that terminate at a distribution provided trust anchor and contain
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   608
# RSA keys that are less than or equal to 1024 bits, add the following
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   609
# constraint:  "RSA keySize <= 1024 & jdkCA".
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   610
#
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   611
# All DisabledAlgorithms expressions are processed in the order defined in the
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   612
# property.  This requires lower keysize constraints to be specified
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   613
# before larger keysize constraints of the same algorithm.  For example:
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   614
# "RSA keySize < 1024 & jdkCA, RSA keySize < 2048".
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 37373
diff changeset
   615
#
41816
07e906f1a20b 8168822: Document that algorithm restrictions do not apply to trusted anchors
xuelei
parents: 41589
diff changeset
   616
# Note: The algorithm restrictions do not apply to trust anchors or
07e906f1a20b 8168822: Document that algorithm restrictions do not apply to trusted anchors
xuelei
parents: 41589
diff changeset
   617
# self-signed certificates.
07e906f1a20b 8168822: Document that algorithm restrictions do not apply to trusted anchors
xuelei
parents: 41589
diff changeset
   618
#
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   619
# Note: This property is currently used by Oracle's PKIX implementation. It
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   620
# is not guaranteed to be examined and used by other implementations.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   621
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   622
# Example:
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   623
#   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   624
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   625
#
44249
0462723a58ef 8176503: Disable SHA-1 TLS Server Certificates
mullan
parents: 43807
diff changeset
   626
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
0462723a58ef 8176503: Disable SHA-1 TLS Server Certificates
mullan
parents: 43807
diff changeset
   627
    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   628
43211
f264afd5082c 8156802: Better constraint checking
rriggs
parents: 43206
diff changeset
   629
#
41589
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   630
# Algorithm restrictions for signed JAR files
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   631
#
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   632
# In some environments, certain algorithms or key lengths may be undesirable
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   633
# for signed JAR validation.  For example, "MD2" is generally no longer
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   634
# considered to be a secure hash algorithm.  This section describes the
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   635
# mechanism for disabling algorithms based on algorithm name and/or key length.
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   636
# JARs signed with any of the disabled algorithms or key sizes will be treated
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   637
# as unsigned.
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   638
#
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   639
# The syntax of the disabled algorithm string is described as follows:
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   640
#   DisabledAlgorithms:
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   641
#       " DisabledAlgorithm { , DisabledAlgorithm } "
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   642
#
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   643
#   DisabledAlgorithm:
43701
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   644
#       AlgorithmName [Constraint] { '&' Constraint }
41589
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   645
#
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   646
#   AlgorithmName:
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   647
#       (see below)
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   648
#
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   649
#   Constraint:
43701
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   650
#       KeySizeConstraint | DenyAfterConstraint
41589
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   651
#
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   652
#   KeySizeConstraint:
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   653
#       keySize Operator KeyLength
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   654
#
43701
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   655
#   DenyAfterConstraint:
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   656
#       denyAfter YYYY-MM-DD
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   657
#
41589
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   658
#   Operator:
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   659
#       <= | < | == | != | >= | >
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   660
#
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   661
#   KeyLength:
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   662
#       Integer value of the algorithm's key length in bits
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   663
#
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   664
# Note: This property is currently used by the JDK Reference
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   665
# implementation. It is not guaranteed to be examined and used by other
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   666
# implementations.
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   667
#
43701
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   668
# See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43697
diff changeset
   669
#
41589
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   670
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   671
      DSA keySize < 1024
e638cce63968 8167591: Add MD5 to signed JAR restrictions
ascarpino
parents: 41583
diff changeset
   672
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   673
#
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   674
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 30790
diff changeset
   675
# (SSL/TLS/DTLS) processing
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   676
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   677
# In some environments, certain algorithms or key lengths may be undesirable
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 30790
diff changeset
   678
# when using SSL/TLS/DTLS.  This section describes the mechanism for disabling
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 30790
diff changeset
   679
# algorithms during SSL/TLS/DTLS security parameters negotiation, including
57718
a93b7b28f644 8226374: Restrict TLS signature schemes and named groups
xuelei
parents: 55258
diff changeset
   680
# protocol version negotiation, cipher suites selection, named groups
a93b7b28f644 8226374: Restrict TLS signature schemes and named groups
xuelei
parents: 55258
diff changeset
   681
# selection, signature schemes selection, peer authentication and key
a93b7b28f644 8226374: Restrict TLS signature schemes and named groups
xuelei
parents: 55258
diff changeset
   682
# exchange mechanisms.
28555
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 28243
diff changeset
   683
#
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 28243
diff changeset
   684
# Disabled algorithms will not be negotiated for SSL/TLS connections, even
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 28243
diff changeset
   685
# if they are enabled explicitly in an application.
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   686
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   687
# For PKI-based peer authentication and key exchange mechanisms, this list
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   688
# of disabled algorithms will also be checked during certification path
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   689
# building and validation, including algorithms used in certificates, as
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   690
# well as revocation information such as CRLs and signed OCSP Responses.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   691
# This is in addition to the jdk.certpath.disabledAlgorithms property above.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   692
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   693
# See the specification of "jdk.certpath.disabledAlgorithms" for the
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   694
# syntax of the disabled algorithm string.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   695
#
41816
07e906f1a20b 8168822: Document that algorithm restrictions do not apply to trusted anchors
xuelei
parents: 41589
diff changeset
   696
# Note: The algorithm restrictions do not apply to trust anchors or
07e906f1a20b 8168822: Document that algorithm restrictions do not apply to trusted anchors
xuelei
parents: 41589
diff changeset
   697
# self-signed certificates.
07e906f1a20b 8168822: Document that algorithm restrictions do not apply to trusted anchors
xuelei
parents: 41589
diff changeset
   698
#
43201
b4c682966e2a 8165071: Expand TLS support
xuelei
parents: 42365
diff changeset
   699
# Note: This property is currently used by the JDK Reference implementation.
7040
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   700
# It is not guaranteed to be examined and used by other implementations.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   701
#
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents: 6311
diff changeset
   702
# Example:
57718
a93b7b28f644 8226374: Restrict TLS signature schemes and named groups
xuelei
parents: 55258
diff changeset
   703
#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
a93b7b28f644 8226374: Restrict TLS signature schemes and named groups
xuelei
parents: 55258
diff changeset
   704
#       rsa_pkcs1_sha1, secp224r1
51465
e4ba2cfcfa92 8208350: Disable all DES cipher suites
jnimeh
parents: 51356
diff changeset
   705
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
52286
d98fb44ad6bf 8211883: Disable anon and NULL cipher suites
mullan
parents: 51879
diff changeset
   706
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL
31689
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   707
47031
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   708
#
31689
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   709
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   710
# processing in JSSE implementation.
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   711
#
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   712
# In some environments, a certain algorithm may be undesirable but it
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   713
# cannot be disabled because of its use in legacy applications.  Legacy
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   714
# algorithms may still be supported, but applications should not use them
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   715
# as the security strength of legacy algorithms are usually not strong enough
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   716
# in practice.
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   717
#
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   718
# During SSL/TLS security parameters negotiation, legacy algorithms will
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   719
# not be negotiated unless there are no other candidates.
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   720
#
43201
b4c682966e2a 8165071: Expand TLS support
xuelei
parents: 42365
diff changeset
   721
# The syntax of the legacy algorithms string is described as this Java
31689
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   722
# BNF-style:
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   723
#   LegacyAlgorithms:
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   724
#       " LegacyAlgorithm { , LegacyAlgorithm } "
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   725
#
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   726
#   LegacyAlgorithm:
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   727
#       AlgorithmName (standard JSSE algorithm name)
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   728
#
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   729
# See the specification of security property "jdk.certpath.disabledAlgorithms"
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   730
# for the syntax and description of the "AlgorithmName" notation.
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   731
#
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   732
# Per SSL/TLS specifications, cipher suites have the form:
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   733
#       SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   734
# or
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   735
#       TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   736
#
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   737
# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   738
# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   739
# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   740
# algorithm for HMAC.
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   741
#
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   742
# The LegacyAlgorithm can be one of the following standard algorithm names:
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   743
#     1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   744
#     2. JSSE key exchange algorithm name, e.g., RSA
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   745
#     3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
31712
e4d5230193da 8076328: Enforce key exchange constraints
xuelei
parents: 31689
diff changeset
   746
#     4. JSSE message digest algorithm name, e.g., SHA
31689
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   747
#
57718
a93b7b28f644 8226374: Restrict TLS signature schemes and named groups
xuelei
parents: 55258
diff changeset
   748
# See SSL/TLS specifications and the Java Security Standard Algorithm Names
a93b7b28f644 8226374: Restrict TLS signature schemes and named groups
xuelei
parents: 55258
diff changeset
   749
# Specification for information about the algorithm names.
31689
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   750
#
38419
5201cc2ca81d 8151856: Note that disabledAlgorithms override the same algorithms of legacyAlgorithms
xuelei
parents: 37896
diff changeset
   751
# Note: If a legacy algorithm is also restricted through the
5201cc2ca81d 8151856: Note that disabledAlgorithms override the same algorithms of legacyAlgorithms
xuelei
parents: 37896
diff changeset
   752
# jdk.tls.disabledAlgorithms property or the
5201cc2ca81d 8151856: Note that disabledAlgorithms override the same algorithms of legacyAlgorithms
xuelei
parents: 37896
diff changeset
   753
# java.security.AlgorithmConstraints API (See
5201cc2ca81d 8151856: Note that disabledAlgorithms override the same algorithms of legacyAlgorithms
xuelei
parents: 37896
diff changeset
   754
# javax.net.ssl.SSLParameters.setAlgorithmConstraints()),
5201cc2ca81d 8151856: Note that disabledAlgorithms override the same algorithms of legacyAlgorithms
xuelei
parents: 37896
diff changeset
   755
# then the algorithm is completely disabled and will not be negotiated.
5201cc2ca81d 8151856: Note that disabledAlgorithms override the same algorithms of legacyAlgorithms
xuelei
parents: 37896
diff changeset
   756
#
43201
b4c682966e2a 8165071: Expand TLS support
xuelei
parents: 42365
diff changeset
   757
# Note: This property is currently used by the JDK Reference implementation.
31689
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   758
# It is not guaranteed to be examined and used by other implementations.
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   759
# There is no guarantee the property will continue to exist or be of the
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   760
# same syntax in future releases.
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   761
#
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   762
# Example:
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   763
#   jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   764
#
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   765
jdk.tls.legacyAlgorithms= \
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   766
        K_NULL, C_NULL, M_NULL, \
1201792aa3a3 8043201: Deprecate RC4 in SunJSSE provider
asmotrak
parents: 31270
diff changeset
   767
        DH_anon, ECDH_anon, \
43201
b4c682966e2a 8165071: Expand TLS support
xuelei
parents: 42365
diff changeset
   768
        RC4_128, RC4_40, DES_CBC, DES40_CBC, \
b4c682966e2a 8165071: Expand TLS support
xuelei
parents: 42365
diff changeset
   769
        3DES_EDE_CBC
33295
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   770
47031
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   771
#
33295
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   772
# The pre-defined default finite field Diffie-Hellman ephemeral (DHE)
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   773
# parameters for Transport Layer Security (SSL/TLS/DTLS) processing.
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   774
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   775
# In traditional SSL/TLS/DTLS connections where finite field DHE parameters
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   776
# negotiation mechanism is not used, the server offers the client group
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   777
# parameters, base generator g and prime modulus p, for DHE key exchange.
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   778
# It is recommended to use dynamic group parameters.  This property defines
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   779
# a mechanism that allows you to specify custom group parameters.
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   780
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   781
# The syntax of this property string is described as this Java BNF-style:
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   782
#   DefaultDHEParameters:
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   783
#       DefinedDHEParameters { , DefinedDHEParameters }
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   784
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   785
#   DefinedDHEParameters:
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   786
#       "{" DHEPrimeModulus , DHEBaseGenerator "}"
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   787
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   788
#   DHEPrimeModulus:
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   789
#       HexadecimalDigits
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   790
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   791
#   DHEBaseGenerator:
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   792
#       HexadecimalDigits
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   793
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   794
#   HexadecimalDigits:
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   795
#       HexadecimalDigit { HexadecimalDigit }
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   796
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   797
#   HexadecimalDigit: one of
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   798
#       0 1 2 3 4 5 6 7 8 9 A B C D E F a b c d e f
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   799
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   800
# Whitespace characters are ignored.
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   801
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   802
# The "DefinedDHEParameters" defines the custom group parameters, prime
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   803
# modulus p and base generator g, for a particular size of prime modulus p.
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   804
# The "DHEPrimeModulus" defines the hexadecimal prime modulus p, and the
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   805
# "DHEBaseGenerator" defines the hexadecimal base generator g of a group
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   806
# parameter.  It is recommended to use safe primes for the custom group
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   807
# parameters.
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   808
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   809
# If this property is not defined or the value is empty, the underlying JSSE
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   810
# provider's default group parameter is used for each connection.
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   811
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   812
# If the property value does not follow the grammar, or a particular group
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   813
# parameter is not valid, the connection will fall back and use the
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   814
# underlying JSSE provider's default group parameter.
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   815
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   816
# Note: This property is currently used by OpenJDK's JSSE implementation. It
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   817
# is not guaranteed to be examined and used by other implementations.
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   818
#
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   819
# Example:
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   820
#   jdk.tls.server.defaultDHEParameters=
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   821
#       { \
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   822
#       FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   823
#       29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   824
#       EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   825
#       E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   826
#       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
052d130b84ed 8081760: Better group dynamics
xuelei
parents: 33283
diff changeset
   827
#       FFFFFFFF FFFFFFFF, 2}
40551
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   828
47031
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   829
#
50768
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   830
# TLS key limits on symmetric cryptographic algorithms
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   831
#
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   832
# This security property sets limits on algorithms key usage in TLS 1.3.
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   833
# When the amount of data encrypted exceeds the algorithm value listed below,
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   834
# a KeyUpdate message will trigger a key change.  This is for symmetric ciphers
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   835
# with TLS 1.3 only.
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   836
#
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   837
# The syntax for the property is described below:
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   838
#   KeyLimits:
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   839
#       " KeyLimit { , KeyLimit } "
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   840
#
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   841
#   WeakKeyLimit:
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   842
#       AlgorithmName Action Length
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   843
#
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   844
#   AlgorithmName:
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   845
#       A full algorithm transformation.
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   846
#
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   847
#   Action:
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   848
#       KeyUpdate
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   849
#
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   850
#   Length:
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   851
#       The amount of encrypted data in a session before the Action occurs
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   852
#       This value may be an integer value in bytes, or as a power of two, 2^29.
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   853
#
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   854
#   KeyUpdate:
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   855
#       The TLS 1.3 KeyUpdate handshake process begins when the Length amount
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   856
#       is fulfilled.
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   857
#
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   858
# Note: This property is currently used by OpenJDK's JSSE implementation. It
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   859
# is not guaranteed to be examined and used by other implementations.
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   860
#
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   861
jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   862
68fa3d4026ea 8196584: TLS 1.3 Implementation
xuelei
parents: 50722
diff changeset
   863
#
40565
3ac0ba151e70 8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents: 40558
diff changeset
   864
# Cryptographic Jurisdiction Policy defaults
42365
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   865
#
47031
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   866
# Import and export control rules on cryptographic software vary from
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   867
# country to country.  By default, Java provides two different sets of
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   868
# cryptographic policy files[1]:
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   869
#
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   870
#     unlimited:  These policy files contain no restrictions on cryptographic
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   871
#                 strengths or algorithms
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   872
#
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   873
#     limited:    These policy files contain more restricted cryptographic
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   874
#                 strengths
42365
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   875
#
48546
707438d2d171 8190229: Non-ASCII characters in java.security file after 8186093
wetmore
parents: 47216
diff changeset
   876
# The default setting is determined by the value of the "crypto.policy"
47031
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   877
# Security property below. If your country or usage requires the
48546
707438d2d171 8190229: Non-ASCII characters in java.security file after 8186093
wetmore
parents: 47216
diff changeset
   878
# traditional restrictive policy, the "limited" Java cryptographic
47031
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   879
# policy is still available and may be appropriate for your environment.
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   880
#
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   881
# If you have restrictions that do not fit either use case mentioned
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   882
# above, Java provides the capability to customize these policy files.
48546
707438d2d171 8190229: Non-ASCII characters in java.security file after 8186093
wetmore
parents: 47216
diff changeset
   883
# The "crypto.policy" security property points to a subdirectory
47031
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   884
# within <java-home>/conf/security/policy/ which can be customized.
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   885
# Please see the <java-home>/conf/security/policy/README.txt file or consult
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   886
# the Java Security Guide/JCA documentation for more information.
42365
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   887
#
40565
3ac0ba151e70 8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents: 40558
diff changeset
   888
# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
3ac0ba151e70 8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents: 40558
diff changeset
   889
# TO DETERMINE THE EXACT REQUIREMENTS.
42365
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   890
#
47031
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   891
# [1] Please note that the JCE for Java SE, including the JCE framework,
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   892
# cryptographic policy files, and standard JCE providers provided with
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   893
# the Java SE, have been reviewed and approved for export as mass market
78fb24b5f758 8186093: A comment in the java.security configuration file incorrectly says that strong but "limited" is the default value
wetmore
parents: 46160
diff changeset
   894
# encryption item by the US Bureau of Industry and Security.
42365
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   895
#
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   896
# Note: This property is currently used by the JDK Reference implementation.
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   897
# It is not guaranteed to be examined and used by other implementations.
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   898
#
40565
3ac0ba151e70 8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents: 40558
diff changeset
   899
crypto.policy=crypto.policydir-tbd
3ac0ba151e70 8061842: Package jurisdiction policy files as something other than JAR
wetmore
parents: 40558
diff changeset
   900
40551
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   901
#
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   902
# The policy for the XML Signature secure validation mode. The mode is
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   903
# enabled by setting the property "org.jcp.xml.dsig.secureValidation" to
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   904
# true with the javax.xml.crypto.XMLCryptoContext.setProperty() method,
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   905
# or by running the code with a SecurityManager.
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   906
#
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   907
#   Policy:
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   908
#       Constraint {"," Constraint }
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   909
#   Constraint:
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   910
#       AlgConstraint | MaxTransformsConstraint | MaxReferencesConstraint |
43206
4c18d1166944 8140353: Improve signature checking
mullan
parents: 43201
diff changeset
   911
#       ReferenceUriSchemeConstraint | KeySizeConstraint | OtherConstraint
40551
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   912
#   AlgConstraint
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   913
#       "disallowAlg" Uri
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   914
#   MaxTransformsConstraint:
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   915
#       "maxTransforms" Integer
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   916
#   MaxReferencesConstraint:
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   917
#       "maxReferences" Integer
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   918
#   ReferenceUriSchemeConstraint:
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   919
#       "disallowReferenceUriSchemes" String { String }
43206
4c18d1166944 8140353: Improve signature checking
mullan
parents: 43201
diff changeset
   920
#   KeySizeConstraint:
4c18d1166944 8140353: Improve signature checking
mullan
parents: 43201
diff changeset
   921
#       "minKeySize" KeyAlg Integer
40551
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   922
#   OtherConstraint:
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   923
#       "noDuplicateIds" | "noRetrievalMethodLoops"
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   924
#
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   925
# For AlgConstraint, Uri is the algorithm URI String that is not allowed.
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   926
# See the XML Signature Recommendation for more information on algorithm
43206
4c18d1166944 8140353: Improve signature checking
mullan
parents: 43201
diff changeset
   927
# URI Identifiers. For KeySizeConstraint, KeyAlg is the standard algorithm
4c18d1166944 8140353: Improve signature checking
mullan
parents: 43201
diff changeset
   928
# name of the key type (ex: "RSA"). If the MaxTransformsConstraint,
4c18d1166944 8140353: Improve signature checking
mullan
parents: 43201
diff changeset
   929
# MaxReferencesConstraint or KeySizeConstraint (for the same key type) is
40551
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   930
# specified more than once, only the last entry is enforced.
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   931
#
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   932
# Note: This property is currently used by the JDK Reference implementation. It
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   933
# is not guaranteed to be examined and used by other implementations.
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   934
#
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   935
jdk.xml.dsig.secureValidationPolicy=\
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   936
    disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   937
    disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   938
    disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   939
    disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   940
    maxTransforms 5,\
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   941
    maxReferences 30,\
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   942
    disallowReferenceUriSchemes file http https,\
43206
4c18d1166944 8140353: Improve signature checking
mullan
parents: 43201
diff changeset
   943
    minKeySize RSA 1024,\
4c18d1166944 8140353: Improve signature checking
mullan
parents: 43201
diff changeset
   944
    minKeySize DSA 1024,\
49779
ade43608ac3d 8186032: Disable XML Signatures signed with EC keys less than 224 bits
mullan
parents: 48608
diff changeset
   945
    minKeySize EC 224,\
40551
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   946
    noDuplicateIds,\
05eba5515cbb 8151893: Add security property to configure XML Signature secure validation mode
mullan
parents: 39767
diff changeset
   947
    noRetrievalMethodLoops
41230
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   948
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   949
#
53304
9e968a576dd2 8202675: Replace process-wide terminology in serial filtering to be consistent
rriggs
parents: 52996
diff changeset
   950
# Serialization system-wide filter
41230
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   951
#
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   952
# A filter, if configured, is used by java.io.ObjectInputStream during
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   953
# deserialization to check the contents of the stream.
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   954
# A filter is configured as a sequence of patterns, each pattern is either
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   955
# matched against the name of a class in the stream or defines a limit.
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   956
# Patterns are separated by ";" (semicolon).
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   957
# Whitespace is significant and is considered part of the pattern.
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   958
#
49783
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
   959
# If the system property jdk.serialFilter is also specified, it supersedes
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
   960
# the security property value defined here.
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
   961
#
41230
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   962
# If a pattern includes a "=", it sets a limit.
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   963
# If a limit appears more than once the last value is used.
42365
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   964
# Limits are checked before classes regardless of the order in the
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   965
# sequence of patterns.
41230
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   966
# If any of the limits are exceeded, the filter status is REJECTED.
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   967
#
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   968
#   maxdepth=value - the maximum depth of a graph
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   969
#   maxrefs=value  - the maximum number of internal references
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   970
#   maxbytes=value - the maximum number of bytes in the input stream
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   971
#   maxarray=value - the maximum array length allowed
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   972
#
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   973
# Other patterns, from left to right, match the class or package name as
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   974
# returned from Class.getName.
42365
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   975
# If the class is an array type, the class or package to be matched is the
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   976
# element type.
41230
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   977
# Arrays of any number of dimensions are treated the same as the element type.
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   978
# For example, a pattern of "!example.Foo", rejects creation of any instance or
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   979
# array of example.Foo.
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   980
#
42365
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   981
# If the pattern starts with "!", the status is REJECTED if the remaining
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   982
# pattern is matched; otherwise the status is ALLOWED if the pattern matches.
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   983
# If the pattern contains "/", the non-empty prefix up to the "/" is the
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   984
# module name;
41230
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   985
#   if the module name matches the module name of the class then
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   986
#   the remaining pattern is matched with the class name.
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   987
#   If there is no "/", the module name is not compared.
42365
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   988
# If the pattern ends with ".**" it matches any class in the package and all
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   989
# subpackages.
41230
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   990
# If the pattern ends with ".*" it matches any class in the package.
42365
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   991
# If the pattern ends with "*", it matches any class with the pattern as a
5e640c2994d6 8170157: Enable unlimited cryptographic policy by default in OracleJDK
wetmore
parents: 41816
diff changeset
   992
# prefix.
41230
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   993
# If the pattern is equal to the class name, it matches.
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   994
# Otherwise, the status is UNDECIDED.
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   995
#
0a8c1ba2b6fb 8155760: Implement Serialization Filtering
rriggs
parents: 40565
diff changeset
   996
#jdk.serialFilter=pattern;pattern
41580
cc479488428c 8155973: Tighten jar checks
ascarpino
parents: 41230
diff changeset
   997
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   998
#
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
   999
# RMI Registry Serial Filter
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1000
#
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1001
# The filter pattern uses the same format as jdk.serialFilter.
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1002
# This filter can override the builtin filter if additional types need to be
46160
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1003
# allowed or rejected from the RMI Registry or to decrease limits but not
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1004
# to increase limits.
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1005
# If the limits (maxdepth, maxrefs, or maxbytes) are exceeded, the object is rejected.
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1006
#
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1007
# Each non-array type is allowed or rejected if it matches one of the patterns,
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1008
# evaluated from left to right, and is otherwise allowed. Arrays of any
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1009
# component type, including subarrays and arrays of primitives, are allowed.
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1010
#
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1011
# Array construction of any component type, including subarrays and arrays of
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1012
# primitives, are allowed unless the length is greater than the maxarray limit.
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1013
# The filter is applied to each array element.
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1014
#
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1015
# Note: This property is currently used by the JDK Reference implementation.
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1016
# It is not guaranteed to be examined and used by other implementations.
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1017
#
46160
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1018
# The built-in filter allows subclasses of allowed classes and
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1019
# can approximately be represented as the pattern:
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1020
#
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1021
#sun.rmi.registry.registryFilter=\
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1022
#    maxarray=1000000;\
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1023
#    maxdepth=20;\
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1024
#    java.lang.String;\
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1025
#    java.lang.Number;\
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1026
#    java.lang.reflect.Proxy;\
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1027
#    java.rmi.Remote;\
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1028
#    sun.rmi.server.UnicastRef;\
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1029
#    sun.rmi.server.RMIClientSocketFactory;\
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1030
#    sun.rmi.server.RMIServerSocketFactory;\
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1031
#    java.rmi.activation.ActivationID;\
c647e44ea1b9 8185346: Relax RMI Registry Serial Filter to allow arrays of any type
rriggs
parents: 45992
diff changeset
  1032
#    java.rmi.server.UID
43697
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1033
#
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1034
# RMI Distributed Garbage Collector (DGC) Serial Filter
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1035
#
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1036
# The filter pattern uses the same format as jdk.serialFilter.
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1037
# This filter can override the builtin filter if additional types need to be
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1038
# allowed or rejected from the RMI DGC.
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1039
#
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1040
# Note: This property is currently used by the JDK Reference implementation.
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1041
# It is not guaranteed to be examined and used by other implementations.
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1042
#
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1043
# The builtin DGC filter can approximately be represented as the filter pattern:
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1044
#
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1045
#sun.rmi.transport.dgcFilter=\
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1046
#    java.rmi.server.ObjID;\
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1047
#    java.rmi.server.UID;\
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1048
#    java.rmi.dgc.VMID;\
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1049
#    java.rmi.dgc.Lease;\
d9fa651a5936 8173410: Add commented config line for jdk.security.provider.preferred
ascarpino
parents: 43696
diff changeset
  1050
#    maxdepth=5;maxarray=10000
48554
592e22777742 8160104: CORBA communication improvements
msheppar
parents: 47216
diff changeset
  1051
49783
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1052
#
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1053
# JCEKS Encrypted Key Serial Filter
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1054
#
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1055
# This filter, if configured, is used by the JCEKS KeyStore during the
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1056
# deserialization of the encrypted Key object stored inside a key entry.
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1057
# If not configured or the filter result is UNDECIDED (i.e. none of the patterns
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1058
# matches), the filter configured by jdk.serialFilter will be consulted.
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1059
#
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1060
# If the system property jceks.key.serialFilter is also specified, it supersedes
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1061
# the security property value defined here.
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1062
#
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1063
# The filter pattern uses the same format as jdk.serialFilter. The default
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1064
# pattern allows java.lang.Enum, java.security.KeyRep, java.security.KeyRep$Type,
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1065
# and javax.crypto.spec.SecretKeySpec and rejects all the others.
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1066
jceks.key.serialFilter = java.base/java.lang.Enum;java.base/java.security.KeyRep;\
977c6dd636bd 8189997: Enhance keystore mechanisms
weijun
parents: 49779
diff changeset
  1067
  java.base/java.security.KeyRep$Type;java.base/javax.crypto.spec.SecretKeySpec;!*
50722
bc104aaf24e9 8204233: Add configurable option for enhanced socket IOException messages
michaelm
parents: 49787
diff changeset
  1068
59158
438337c846fb 8233404: System property to set the number of PBE iterations in JCEKS keystores
mbalao
parents: 58612
diff changeset
  1069
# The iteration count used for password-based encryption (PBE) in JCEKS
438337c846fb 8233404: System property to set the number of PBE iterations in JCEKS keystores
mbalao
parents: 58612
diff changeset
  1070
# keystores. Values in the range 10000 to 5000000 are considered valid.
438337c846fb 8233404: System property to set the number of PBE iterations in JCEKS keystores
mbalao
parents: 58612
diff changeset
  1071
# If the value is out of this range, or is not a number, or is unspecified;
438337c846fb 8233404: System property to set the number of PBE iterations in JCEKS keystores
mbalao
parents: 58612
diff changeset
  1072
# a default of 200000 is used.
438337c846fb 8233404: System property to set the number of PBE iterations in JCEKS keystores
mbalao
parents: 58612
diff changeset
  1073
#
438337c846fb 8233404: System property to set the number of PBE iterations in JCEKS keystores
mbalao
parents: 58612
diff changeset
  1074
# If the system property jdk.jceks.iterationCount is also specified, it
438337c846fb 8233404: System property to set the number of PBE iterations in JCEKS keystores
mbalao
parents: 58612
diff changeset
  1075
# supersedes the security property value defined here.
438337c846fb 8233404: System property to set the number of PBE iterations in JCEKS keystores
mbalao
parents: 58612
diff changeset
  1076
#
438337c846fb 8233404: System property to set the number of PBE iterations in JCEKS keystores
mbalao
parents: 58612
diff changeset
  1077
#jdk.jceks.iterationCount = 200000
438337c846fb 8233404: System property to set the number of PBE iterations in JCEKS keystores
mbalao
parents: 58612
diff changeset
  1078
50722
bc104aaf24e9 8204233: Add configurable option for enhanced socket IOException messages
michaelm
parents: 49787
diff changeset
  1079
#
52996
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1080
# PKCS12 KeyStore properties
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1081
#
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1082
# The following properties, if configured, are used by the PKCS12 KeyStore
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1083
# implementation during the creation of a new keystore. Several of the
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1084
# properties may also be used when modifying an existing keystore. The
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1085
# properties can be overridden by a KeyStore API that specifies its own
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1086
# algorithms and parameters.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1087
#
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1088
# If an existing PKCS12 keystore is loaded and then stored, the algorithm and
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1089
# parameter used to generate the existing Mac will be reused. If the existing
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1090
# keystore does not have a Mac, no Mac will be created while storing. If there
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1091
# is at least one certificate in the existing keystore, the algorithm and
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1092
# parameters used to encrypt the last certificate in the existing keystore will
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1093
# be reused to encrypt all certificates while storing. If the last certificate
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1094
# in the existing keystore is not encrypted, all certificates will be stored
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1095
# unencrypted. If there is no certificate in the existing keystore, any newly
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1096
# added certificate will be encrypted (or stored unencrypted if algorithm
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1097
# value is "NONE") using the "keystore.pkcs12.certProtectionAlgorithm" and
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1098
# "keystore.pkcs12.certPbeIterationCount" values defined here. Existing private
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1099
# and secret key(s) are not changed. Newly set private and secret key(s) will
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1100
# be encrypted using the "keystore.pkcs12.keyProtectionAlgorithm" and
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1101
# "keystore.pkcs12.keyPbeIterationCount" values defined here.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1102
#
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1103
# In order to apply new algorithms and parameters to all entries in an
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1104
# existing keystore, one can create a new keystore and add entries in the
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1105
# existing keystore into the new keystore. This can be achieved by calling the
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1106
# "keytool -importkeystore" command.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1107
#
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1108
# If a system property of the same name is also specified, it supersedes the
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1109
# security property value defined here.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1110
#
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1111
# If the property is set to an illegal value,
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1112
# an iteration count that is not a positive integer, or an unknown algorithm
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1113
# name, an exception will be thrown when the property is used.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1114
# If the property is not set or empty, a default value will be used.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1115
#
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1116
# Note: These properties are currently used by the JDK Reference implementation.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1117
# They are not guaranteed to be examined and used by other implementations.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1118
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1119
# The algorithm used to encrypt a certificate. This can be any non-Hmac PBE
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1120
# algorithm defined in the Cipher section of the Java Security Standard
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1121
# Algorithm Names Specification. When set to "NONE", the certificate
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1122
# is not encrypted. The default value is "PBEWithSHA1AndRC2_40".
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1123
#keystore.pkcs12.certProtectionAlgorithm = PBEWithSHA1AndRC2_40
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1124
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1125
# The iteration count used by the PBE algorithm when encrypting a certificate.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1126
# This value must be a positive integer. The default value is 50000.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1127
#keystore.pkcs12.certPbeIterationCount = 50000
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1128
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1129
# The algorithm used to encrypt a private key or secret key. This can be
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1130
# any non-Hmac PBE algorithm defined in the Cipher section of the Java
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1131
# Security Standard Algorithm Names Specification. The value must not be "NONE".
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1132
# The default value is "PBEWithSHA1AndDESede".
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1133
#keystore.pkcs12.keyProtectionAlgorithm = PBEWithSHA1AndDESede
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1134
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1135
# The iteration count used by the PBE algorithm when encrypting a private key
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1136
# or a secret key. This value must be a positive integer. The default value
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1137
# is 50000.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1138
#keystore.pkcs12.keyPbeIterationCount = 50000
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1139
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1140
# The algorithm used to calculate the optional MacData at the end of a PKCS12
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1141
# file. This can be any HmacPBE algorithm defined in the Mac section of the
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1142
# Java Security Standard Algorithm Names Specification. When set to "NONE",
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1143
# no Mac is generated. The default value is "HmacPBESHA1".
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1144
#keystore.pkcs12.macAlgorithm = HmacPBESHA1
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1145
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1146
# The iteration count used by the MacData algorithm. This value must be a
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1147
# positive integer. The default value is 100000.
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1148
#keystore.pkcs12.macIterationCount = 100000
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1149
2457d862a646 8076190: Customizing the generation of a PKCS12 keystore
weijun
parents: 52948
diff changeset
  1150
#
51236
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1151
# Enhanced exception message information
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1152
#
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1153
# By default, exception messages should not include potentially sensitive
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1154
# information such as file names, host names, or port numbers. This property
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1155
# accepts one or more comma separated values, each of which represents a
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1156
# category of enhanced exception message information to enable. Values are
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1157
# case-insensitive. Leading and trailing whitespaces, surrounding each value,
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1158
# are ignored. Unknown values are ignored.
50722
bc104aaf24e9 8204233: Add configurable option for enhanced socket IOException messages
michaelm
parents: 49787
diff changeset
  1159
#
51356
88d9be7f52c5 8208691: Tighten up jdk.includeInExceptions security property
mullan
parents: 51236
diff changeset
  1160
# NOTE: Use caution before setting this property. Setting this property
88d9be7f52c5 8208691: Tighten up jdk.includeInExceptions security property
mullan
parents: 51236
diff changeset
  1161
# exposes sensitive information in Exceptions, which could, for example,
88d9be7f52c5 8208691: Tighten up jdk.includeInExceptions security property
mullan
parents: 51236
diff changeset
  1162
# propagate to untrusted code or be emitted in stack traces that are
88d9be7f52c5 8208691: Tighten up jdk.includeInExceptions security property
mullan
parents: 51236
diff changeset
  1163
# inadvertently disclosed and made accessible over a public network.
88d9be7f52c5 8208691: Tighten up jdk.includeInExceptions security property
mullan
parents: 51236
diff changeset
  1164
#
51236
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1165
# The categories are:
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1166
#
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1167
#  hostInfo - IOExceptions thrown by java.net.Socket and the socket types in the
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1168
#             java.nio.channels package will contain enhanced exception
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1169
#             message information
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1170
#
51879
6ffa38b8da65 8207768: Improve exception messages during manifest parsing of jar archives
mbaesken
parents: 51465
diff changeset
  1171
#  jar      - enables more detailed information in the IOExceptions thrown
6ffa38b8da65 8207768: Improve exception messages during manifest parsing of jar archives
mbaesken
parents: 51465
diff changeset
  1172
#             by classes in the java.util.jar package
6ffa38b8da65 8207768: Improve exception messages during manifest parsing of jar archives
mbaesken
parents: 51465
diff changeset
  1173
#
51236
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1174
# The property setting in this file can be overridden by a system property of
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1175
# the same name, with the same syntax and possible values.
a90d8198d7e4 8207846: Generalize the jdk.net.includeInExceptions security property
chegar
parents: 50768
diff changeset
  1176
#
51879
6ffa38b8da65 8207768: Improve exception messages during manifest parsing of jar archives
mbaesken
parents: 51465
diff changeset
  1177
#jdk.includeInExceptions=hostInfo,jar
52948
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1178
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1179
#
54802
b0a1572ec64a 8200400: Restrict Sasl mechanisms
weijun
parents: 53430
diff changeset
  1180
# Disabled mechanisms for the Simple Authentication and Security Layer (SASL)
b0a1572ec64a 8200400: Restrict Sasl mechanisms
weijun
parents: 53430
diff changeset
  1181
#
b0a1572ec64a 8200400: Restrict Sasl mechanisms
weijun
parents: 53430
diff changeset
  1182
# Disabled mechanisms will not be negotiated by both SASL clients and servers.
57759
22fa46d5dc2e 8229767: Typo in java.security: Sasl.createClient and Sasl.createServer
weijun
parents: 57718
diff changeset
  1183
# These mechanisms will be ignored if they are specified in the "mechanisms"
22fa46d5dc2e 8229767: Typo in java.security: Sasl.createClient and Sasl.createServer
weijun
parents: 57718
diff changeset
  1184
# argument of "Sasl.createSaslClient" or the "mechanism" argument of
22fa46d5dc2e 8229767: Typo in java.security: Sasl.createClient and Sasl.createServer
weijun
parents: 57718
diff changeset
  1185
# "Sasl.createSaslServer".
54802
b0a1572ec64a 8200400: Restrict Sasl mechanisms
weijun
parents: 53430
diff changeset
  1186
#
b0a1572ec64a 8200400: Restrict Sasl mechanisms
weijun
parents: 53430
diff changeset
  1187
# The value of this property is a comma-separated list of SASL mechanisms.
b0a1572ec64a 8200400: Restrict Sasl mechanisms
weijun
parents: 53430
diff changeset
  1188
# The mechanisms are case-sensitive. Whitespaces around the commas are ignored.
b0a1572ec64a 8200400: Restrict Sasl mechanisms
weijun
parents: 53430
diff changeset
  1189
#
b0a1572ec64a 8200400: Restrict Sasl mechanisms
weijun
parents: 53430
diff changeset
  1190
# Note: This property is currently used by the JDK Reference implementation.
b0a1572ec64a 8200400: Restrict Sasl mechanisms
weijun
parents: 53430
diff changeset
  1191
# It is not guaranteed to be examined and used by other implementations.
b0a1572ec64a 8200400: Restrict Sasl mechanisms
weijun
parents: 53430
diff changeset
  1192
#
b0a1572ec64a 8200400: Restrict Sasl mechanisms
weijun
parents: 53430
diff changeset
  1193
# Example:
b0a1572ec64a 8200400: Restrict Sasl mechanisms
weijun
parents: 53430
diff changeset
  1194
#   jdk.sasl.disabledMechanisms=PLAIN, CRAM-MD5, DIGEST-MD5
b0a1572ec64a 8200400: Restrict Sasl mechanisms
weijun
parents: 53430
diff changeset
  1195
jdk.sasl.disabledMechanisms=
b0a1572ec64a 8200400: Restrict Sasl mechanisms
weijun
parents: 53430
diff changeset
  1196
b0a1572ec64a 8200400: Restrict Sasl mechanisms
weijun
parents: 53430
diff changeset
  1197
#
52948
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1198
# Policies for distrusting Certificate Authorities (CAs).
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1199
#
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1200
# This is a comma separated value of one or more case-sensitive strings, each
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1201
# of which represents a policy for determining if a CA should be distrusted.
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1202
# The supported values are:
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1203
#
53428
f443de1cee05 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents: 52996
diff changeset
  1204
#   SYMANTEC_TLS : Distrust TLS Server certificates anchored by a Symantec
f443de1cee05 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents: 52996
diff changeset
  1205
#   root CA and issued after April 16, 2019 unless issued by one of the
f443de1cee05 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents: 52996
diff changeset
  1206
#   following subordinate CAs which have a later distrust date:
f443de1cee05 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents: 52996
diff changeset
  1207
#     1. Apple IST CA 2 - G1, SHA-256 fingerprint:
f443de1cee05 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents: 52996
diff changeset
  1208
#        AC2B922ECFD5E01711772FEA8ED372DE9D1E2245FCE3F57A9CDBEC77296A424B
f443de1cee05 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents: 52996
diff changeset
  1209
#        Distrust after December 31, 2019.
f443de1cee05 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents: 52996
diff changeset
  1210
#     2. Apple IST CA 8 - G1, SHA-256 fingerprint:
f443de1cee05 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents: 52996
diff changeset
  1211
#        A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED
f443de1cee05 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents: 52996
diff changeset
  1212
#        Distrust after December 31, 2019.
52948
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1213
#
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1214
# Leading and trailing whitespace surrounding each value are ignored.
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1215
# Unknown values are ignored. If the property is commented out or set to the
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1216
# empty String, no policies are enforced.
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1217
#
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1218
# Note: This property is currently used by the JDK Reference implementation.
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1219
# It is not guaranteed to be supported by other SE implementations. Also, this
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1220
# property does not override other security properties which can restrict
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1221
# certificates such as jdk.tls.disabledAlgorithms or
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1222
# jdk.certpath.disabledAlgorithms; those restrictions are still enforced even
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1223
# if this property is not enabled.
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1224
#
04c9b7111aac 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents: 52286
diff changeset
  1225
jdk.security.caDistrustPolicies=SYMANTEC_TLS
58611
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1226
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1227
#
58612
32aff2b7585b 8209901: Canonical file handling
weijun
parents: 58611
diff changeset
  1228
# FilePermission path canonicalization
32aff2b7585b 8209901: Canonical file handling
weijun
parents: 58611
diff changeset
  1229
#
32aff2b7585b 8209901: Canonical file handling
weijun
parents: 58611
diff changeset
  1230
# This security property dictates how the path argument is processed and stored
32aff2b7585b 8209901: Canonical file handling
weijun
parents: 58611
diff changeset
  1231
# while constructing a FilePermission object. If the value is set to true, the
32aff2b7585b 8209901: Canonical file handling
weijun
parents: 58611
diff changeset
  1232
# path argument is canonicalized and FilePermission methods (such as implies,
32aff2b7585b 8209901: Canonical file handling
weijun
parents: 58611
diff changeset
  1233
# equals, and hashCode) are implemented based on this canonicalized result.
32aff2b7585b 8209901: Canonical file handling
weijun
parents: 58611
diff changeset
  1234
# Otherwise, the path argument is not canonicalized and FilePermission methods are
32aff2b7585b 8209901: Canonical file handling
weijun
parents: 58611
diff changeset
  1235
# implemented based on the original input. See the implementation note of the
32aff2b7585b 8209901: Canonical file handling
weijun
parents: 58611
diff changeset
  1236
# FilePermission class for more details.
32aff2b7585b 8209901: Canonical file handling
weijun
parents: 58611
diff changeset
  1237
#
32aff2b7585b 8209901: Canonical file handling
weijun
parents: 58611
diff changeset
  1238
# If a system property of the same name is also specified, it supersedes the
32aff2b7585b 8209901: Canonical file handling
weijun
parents: 58611
diff changeset
  1239
# security property value defined here.
32aff2b7585b 8209901: Canonical file handling
weijun
parents: 58611
diff changeset
  1240
#
32aff2b7585b 8209901: Canonical file handling
weijun
parents: 58611
diff changeset
  1241
# The default value for this property is false.
32aff2b7585b 8209901: Canonical file handling
weijun
parents: 58611
diff changeset
  1242
#
32aff2b7585b 8209901: Canonical file handling
weijun
parents: 58611
diff changeset
  1243
jdk.io.permissionsUseCanonicalPath=false
32aff2b7585b 8209901: Canonical file handling
weijun
parents: 58611
diff changeset
  1244
32aff2b7585b 8209901: Canonical file handling
weijun
parents: 58611
diff changeset
  1245
32aff2b7585b 8209901: Canonical file handling
weijun
parents: 58611
diff changeset
  1246
#
58611
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1247
# Policies for the proxy_impersonator Kerberos ccache configuration entry
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1248
#
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1249
# The proxy_impersonator ccache configuration entry indicates that the ccache
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1250
# is a synthetic delegated credential for use with S4U2Proxy by an intermediate
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1251
# server. The ccache file should also contain the TGT of this server and
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1252
# an evidence ticket from the default principal of the ccache to this server.
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1253
#
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1254
# This security property determines how Java uses this configuration entry.
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1255
# There are 3 possible values:
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1256
#
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1257
#  no-impersonate     - Ignore this configuration entry, and always act as
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1258
#                       the owner of the TGT (if it exists).
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1259
#
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1260
#  try-impersonate    - Try impersonation when this configuration entry exists.
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1261
#                       If no matching TGT or evidence ticket is found,
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1262
#                       fallback to no-impersonate.
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1263
#
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1264
#  always-impersonate - Always impersonate when this configuration entry exists.
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1265
#                       If no matching TGT or evidence ticket is found,
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1266
#                       no initial credential is read from the ccache.
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1267
#
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1268
# The default value is "always-impersonate".
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1269
#
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1270
# If a system property of the same name is also specified, it supersedes the
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1271
# security property value defined here.
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1272
#
53ddf218eddd 8220302: Better Kerberos ccache handling
weijun
parents: 57759
diff changeset
  1273
#jdk.security.krb5.default.initiate.credential=always-impersonate