#

# This is the "master security properties file".

#

# An alternate java.security properties file may be specified

# from the command line via the system property

#

#    -Djava.security.properties=<URL>

#

# This properties file appends to the master security properties file.

# If both properties files specify values for the same key, the value

# from the command-line properties file is selected, as it is the last

# one loaded.

#

# Also, if you specify

#

#    -Djava.security.properties==<URL> (2 equals),

#

# then that properties file completely overrides the master security

# properties file.

#

# To disable the ability to specify an additional properties file from

# the command line, set the key security.overridePropertiesFile

# to false in the master security properties file. It is set to true

# by default.

# In this file, various security properties are set for use by

# java.security classes. This is where users can statically register

# Cryptography Package Providers ("providers" for short). The term

# "provider" refers to a package or set of packages that supply a

# concrete implementation of a subset of the cryptography aspects of

# the Java Security API. A provider may, for example, implement one or

# more digital signature algorithms or message digest algorithms.

#

# Each provider must implement a subclass of the Provider class.

# To register a provider in this master security properties file,

# specify the Provider subclass name and priority in the format

#

#    security.provider.<n>=<className>

#

# This declares a provider, and specifies its preference

# order n. The preference order is the order in which providers are

# searched for requested algorithms (when no specific provider is

# requested). The order is 1-based; 1 is the most preferred, followed

# by 2, and so on.

#

# <className> must specify the subclass of the Provider class whose

# constructor sets the values of various properties that are required

# for the Java Security API to look up the algorithms or other

# facilities implemented by the provider.

#

# There must be at least one provider specification in java.security.

# There is a default provider that comes standard with the JDK. It

# is called the "SUN" provider, and its Provider subclass

# named Sun appears in the sun.security.provider package. Thus, the

# "SUN" provider is registered via the following:

#

#    security.provider.1=sun.security.provider.Sun

#

# (The number 1 is used for the default provider.)

#

# Note: Providers can be dynamically registered instead by calls to

# either the addProvider or insertProviderAt method in the Security

# class.

#

# List of providers and their preference orders (see above):

#

#ifdef solaris

security.provider.tbd=OracleUcrypto

security.provider.tbd=SunPKCS11 ${java.home}/conf/security/sunpkcs11-solaris.cfg

#endif

security.provider.tbd=SUN

security.provider.tbd=SunRsaSign

security.provider.tbd=SunEC

security.provider.tbd=SunJSSE

security.provider.tbd=SunJCE

security.provider.tbd=SunJGSS

security.provider.tbd=SunSASL

security.provider.tbd=XMLDSig

security.provider.tbd=SunPCSC

security.provider.tbd=JdkLDAP

security.provider.tbd=JdkSASL

#ifdef windows

security.provider.tbd=SunMSCAPI

#endif

#ifdef macosx

security.provider.tbd=Apple

#endif

#ifndef solaris

security.provider.tbd=SunPKCS11

#endif

#

# A list of preferred providers for specific algorithms. These providers will

# be searched for matching algorithms before the list of registered providers.

# Entries containing errors (parsing, etc) will be ignored. Use the

# -Djava.security.debug=jca property to debug these errors.

#

# The property is a comma-separated list of serviceType.algorithm:provider

# entries. The serviceType (example: "MessageDigest") is optional, and if

# not specified, the algorithm applies to all service types that support it.

# The algorithm is the standard algorithm name or transformation.

# Transformations can be specified in their full standard name

# (ex: AES/CBC/PKCS5Padding), or as partial matches (ex: AES, AES/CBC).

# The provider is the name of the provider. Any provider that does not

# also appear in the registered list will be ignored.

#

# Example:

#   jdk.security.provider.preferred=AES/GCM/NoPadding:SunJCE, \

#         MessageDigest.SHA-256:SUN

#ifdef solaris-sparc

jdk.security.provider.preferred=AES:SunJCE, SHA1:SUN, SHA-224:SUN, \

      SHA-256:SUN, SHA-384:SUN, SHA-512:SUN

#endif

#ifdef solaris-x86

jdk.security.provider.preferred=AES:SunJCE, RSA:SunRsaSign

#endif

#

# Sun Provider SecureRandom seed source.

#

# Select the primary source of seed data for the "NativePRNG", "SHA1PRNG"

# and "DRBG" SecureRandom implementations in the "Sun" provider.

# (Other SecureRandom implementations might also use this property.)

#

# On Unix-like systems (for example, Solaris/Linux/MacOS), the

# "NativePRNG", "SHA1PRNG" and "DRBG" implementations obtains seed data from

# special device files such as file:/dev/random.

#

# On Windows systems, specifying the URLs "file:/dev/random" or

# "file:/dev/urandom" will enable the native Microsoft CryptoAPI seeding

# mechanism for SHA1PRNG and DRBG.

#

# By default, an attempt is made to use the entropy gathering device

# specified by the "securerandom.source" Security property.  If an

# exception occurs while accessing the specified URL:

#

#     NativePRNG:

#         a default value of /dev/random will be used.  If neither

#         are available, the implementation will be disabled.

#         "file" is the only currently supported protocol type.

#

#     SHA1PRNG and DRBG:

#         the traditional system/thread activity algorithm will be used.

#

# The entropy gathering device can also be specified with the System

# property "java.security.egd". For example:

#

#   % java -Djava.security.egd=file:/dev/random MainClass

#

# Specifying this System property will override the

# "securerandom.source" Security property.

#

# In addition, if "file:/dev/random" or "file:/dev/urandom" is

# specified, the "NativePRNG" implementation will be more preferred than

# DRBG and SHA1PRNG in the Sun provider.

#

securerandom.source=file:/dev/random

#

# A list of known strong SecureRandom implementations.

#

# To help guide applications in selecting a suitable strong

# java.security.SecureRandom implementation, Java distributions should

# indicate a list of known strong implementations using the property.

#

# This is a comma-separated list of algorithm and/or algorithm:provider

# entries.

#

#ifdef windows

securerandom.strongAlgorithms=Windows-PRNG:SunMSCAPI,DRBG:SUN

#endif

#ifndef windows

securerandom.strongAlgorithms=NativePRNGBlocking:SUN,DRBG:SUN

#endif

#

# Sun provider DRBG configuration and default instantiation request.

#

# NIST SP 800-90Ar1 lists several DRBG mechanisms. Each can be configured

# with a DRBG algorithm name, and can be instantiated with a security strength,

# prediction resistance support, etc. This property defines the configuration

# and the default instantiation request of "DRBG" SecureRandom implementations

# in the SUN provider. (Other DRBG implementations can also use this property.)

# Applications can request different instantiation parameters like security

# strength, capability, personalization string using one of the

# getInstance(...,SecureRandomParameters,...) methods with a

# DrbgParameters.Instantiation argument, but other settings such as the

# mechanism and DRBG algorithm names are not currently configurable by any API.

#

# Please note that the SUN implementation of DRBG always supports reseeding.

#

# The value of this property is a comma-separated list of all configurable

# aspects. The aspects can appear in any order but the same aspect can only

# appear at most once. Its BNF-style definition is:

#

#   Value:

#     aspect { "," aspect }

#

#   aspect:

#     mech_name | algorithm_name | strength | capability | df

#

#   // The DRBG mechanism to use. Default "Hash_DRBG"

#   mech_name:

#     "Hash_DRBG" | "HMAC_DRBG" | "CTR_DRBG"

#

#   // The DRBG algorithm name. The "SHA-***" names are for Hash_DRBG and

#   // HMAC_DRBG, default "SHA-256". The "AES-***" names are for CTR_DRBG,

#   // default "AES-128" when using the limited cryptographic or "AES-256"

#   // when using the unlimited.

#   algorithm_name:

#     "SHA-224" | "SHA-512/224" | "SHA-256" |

#     "SHA-512/256" | "SHA-384" | "SHA-512" |

#     "AES-128" | "AES-192" | "AES-256"

#

#   // Security strength requested. Default "128"

#   strength:

#     "112" | "128" | "192" | "256"

#

#   // Prediction resistance and reseeding request. Default "none"

#   //  "pr_and_reseed" - Both prediction resistance and reseeding

#   //                    support requested

#   //  "reseed_only"   - Only reseeding support requested

#   //  "none"          - Neither prediction resistance not reseeding

#   //                    support requested

#   pr:

#     "pr_and_reseed" | "reseed_only" | "none"

#

#   // Whether a derivation function should be used. only applicable

#   // to CTR_DRBG. Default "use_df"

#   df:

#     "use_df" | "no_df"

#

# Examples,

#   securerandom.drbg.config=Hash_DRBG,SHA-224,112,none

#   securerandom.drbg.config=CTR_DRBG,AES-256,192,pr_and_reseed,use_df

#

# The default value is an empty string, which is equivalent to

#   securerandom.drbg.config=Hash_DRBG,SHA-256,128,none

securerandom.drbg.config=

#

# Class to instantiate as the javax.security.auth.login.Configuration

# provider.

#

login.configuration.provider=sun.security.provider.ConfigFile

#

# Default login configuration file

#

#login.config.url.1=file:${user.home}/.java.login.config

#

# Class to instantiate as the system Policy. This is the name of the class

# that will be used as the Policy object. The system class loader is used to

# locate this class.

#

policy.provider=sun.security.provider.PolicyFile

# The default is to have a single system-wide policy file,

# and a policy file in the user's home directory.

policy.url.1=file:${java.home}/conf/security/java.policy

policy.url.2=file:${user.home}/.java.policy

# whether or not we expand properties in the policy file

# if this is set to false, properties (${...}) will not be expanded in policy

# files.

policy.expandProperties=true

# whether or not we allow an extra policy to be passed on the command line

# with -Djava.security.policy=somefile. Comment out this line to disable

# this feature.

policy.allowSystemProperty=true

# whether or not we look into the IdentityScope for trusted Identities

# when encountering a 1.1 signed JAR file. If the identity is found

# and is trusted, we grant it AllPermission. Note: the default policy

# provider (sun.security.provider.PolicyFile) does not support this property.

policy.ignoreIdentityScope=false

#

# Default keystore type.

#

keystore.type=pkcs12

#

# Controls compatibility mode for JKS and PKCS12 keystore types.

#

# When set to 'true', both JKS and PKCS12 keystore types support loading

# keystore files in either JKS or PKCS12 format. When set to 'false' the

# JKS keystore type supports loading only JKS keystore files and the PKCS12

# keystore type supports loading only PKCS12 keystore files.

#

keystore.type.compat=true

#

# List of comma-separated packages that start with or equal this string

# will cause a security exception to be thrown when

# passed to checkPackageAccess unless the

# corresponding RuntimePermission ("accessClassInPackage."+package) has

# been granted.

package.access=sun.,\

               com.sun.xml.internal.,\

               com.sun.imageio.,\

               com.sun.istack.internal.,\

               com.sun.jmx.,\

               com.sun.media.sound.,\

               com.sun.naming.internal.,\

               com.sun.proxy.,\

               com.sun.corba.se.,\

               com.sun.org.apache.bcel.internal.,\

               com.sun.org.apache.regexp.internal.,\

               com.sun.org.apache.xerces.internal.,\

               com.sun.org.apache.xpath.internal.,\

               com.sun.org.apache.xalan.internal.extensions.,\

               com.sun.org.apache.xalan.internal.lib.,\

               com.sun.org.apache.xalan.internal.res.,\

               com.sun.org.apache.xalan.internal.templates.,\

               com.sun.org.apache.xalan.internal.utils.,\

               com.sun.org.apache.xalan.internal.xslt.,\

               com.sun.org.apache.xalan.internal.xsltc.cmdline.,\

               com.sun.org.apache.xalan.internal.xsltc.compiler.,\

               com.sun.org.apache.xalan.internal.xsltc.trax.,\

               com.sun.org.apache.xalan.internal.xsltc.util.,\

               com.sun.org.apache.xml.internal.res.,\

               com.sun.org.apache.xml.internal.security.,\

               com.sun.org.apache.xml.internal.serializer.dom3.,\

               com.sun.org.apache.xml.internal.serializer.utils.,\

               com.sun.org.apache.xml.internal.utils.,\

               com.sun.org.glassfish.,\

               com.sun.tools.script.,\

               com.oracle.xmlns.internal.,\

               com.oracle.webservices.internal.,\

               org.jcp.xml.dsig.internal.,\

               jdk.internal.,\

               jdk.nashorn.internal.,\

               jdk.nashorn.tools.,\

               jdk.tools.jimage.,\

               com.sun.activation.registries.,\

               com.sun.java.accessibility.util.internal.,\

#ifdef windows

               com.sun.java.accessibility.internal.,\

#endif

#ifdef macosx

               apple.,\

#endif

#

# List of comma-separated packages that start with or equal this string

# will cause a security exception to be thrown when

# passed to checkPackageDefinition unless the

# corresponding RuntimePermission ("defineClassInPackage."+package) has

# been granted.

#

# by default, none of the class loaders supplied with the JDK call

# checkPackageDefinition.

#

package.definition=sun.,\

                   com.sun.xml.internal.,\

                   com.sun.imageio.,\

                   com.sun.istack.internal.,\

                   com.sun.jmx.,\

                   com.sun.media.sound.,\

                   com.sun.naming.internal.,\

                   com.sun.proxy.,\

                   com.sun.corba.se.,\

                   com.sun.org.apache.bcel.internal.,\

                   com.sun.org.apache.regexp.internal.,\

                   com.sun.org.apache.xerces.internal.,\

                   com.sun.org.apache.xpath.internal.,\

                   com.sun.org.apache.xalan.internal.extensions.,\

                   com.sun.org.apache.xalan.internal.lib.,\

                   com.sun.org.apache.xalan.internal.res.,\

                   com.sun.org.apache.xalan.internal.templates.,\

                   com.sun.org.apache.xalan.internal.utils.,\

                   com.sun.org.apache.xalan.internal.xslt.,\

                   com.sun.org.apache.xalan.internal.xsltc.cmdline.,\

                   com.sun.org.apache.xalan.internal.xsltc.compiler.,\

                   com.sun.org.apache.xalan.internal.xsltc.trax.,\

                   com.sun.org.apache.xalan.internal.xsltc.util.,\

                   com.sun.org.apache.xml.internal.res.,\

                   com.sun.org.apache.xml.internal.security.,\

                   com.sun.org.apache.xml.internal.serializer.dom3.,\

                   com.sun.org.apache.xml.internal.serializer.utils.,\

                   com.sun.org.apache.xml.internal.utils.,\

                   com.sun.org.glassfish.,\

                   com.sun.tools.script.,\

                   com.oracle.xmlns.internal.,\

                   com.oracle.webservices.internal.,\

                   org.jcp.xml.dsig.internal.,\

                   jdk.internal.,\

                   jdk.nashorn.internal.,\

                   jdk.nashorn.tools.,\

                   jdk.tools.jimage.,\

                   com.sun.activation.registries.,\

                   com.sun.java.accessibility.util.internal.,\

#ifdef windows

                   com.sun.java.accessibility.internal.,\

#endif

#ifdef macosx

                   apple.,\

#endif

#

# Determines whether this properties file can be appended to

# or overridden on the command line via -Djava.security.properties

#

security.overridePropertiesFile=true

#

# Determines the default key and trust manager factory algorithms for

# the javax.net.ssl package.

#

ssl.KeyManagerFactory.algorithm=SunX509

ssl.TrustManagerFactory.algorithm=PKIX

#

# The Java-level namelookup cache policy for successful lookups:

#

# any negative value: caching forever

# any positive value: the number of seconds to cache an address for

# zero: do not cache

#

# default value is forever (FOREVER). For security reasons, this

# caching is made forever when a security manager is set. When a security

# manager is not set, the default behavior in this implementation

# is to cache for 30 seconds.

#

# NOTE: setting this to anything other than the default value can have

#       serious security implications. Do not set it unless

#       you are sure you are not exposed to DNS spoofing attack.

#

#networkaddress.cache.ttl=-1

# The Java-level namelookup cache policy for failed lookups:

#

# any negative value: cache forever

# any positive value: the number of seconds to cache negative lookup results

# zero: do not cache

#

# In some Microsoft Windows networking environments that employ

# the WINS name service in addition to DNS, name service lookups

# that fail may take a noticeably long time to return (approx. 5 seconds).

# For this reason the default caching policy is to maintain these

# results for 10 seconds.

#

#

networkaddress.cache.negative.ttl=10

#

# Properties to configure OCSP for certificate revocation checking

#

# Enable OCSP

#

# By default, OCSP is not used for certificate revocation checking.

# This property enables the use of OCSP when set to the value "true".

#

# NOTE: SocketPermission is required to connect to an OCSP responder.

#

# Example,

#   ocsp.enable=true

#

# Location of the OCSP responder

#

# By default, the location of the OCSP responder is determined implicitly

# from the certificate being validated. This property explicitly specifies

# the location of the OCSP responder. The property is used when the

# Authority Information Access extension (defined in RFC 5280) is absent

# from the certificate or when it requires overriding.

#

# Example,

#   ocsp.responderURL=http://ocsp.example.net:80

#

# Subject name of the OCSP responder's certificate

#

# By default, the certificate of the OCSP responder is that of the issuer

# of the certificate being validated. This property identifies the certificate

# of the OCSP responder when the default does not apply. Its value is a string

# distinguished name (defined in RFC 2253) which identifies a certificate in

# the set of certificates supplied during cert path validation. In cases where

# the subject name alone is not sufficient to uniquely identify the certificate

# then both the "ocsp.responderCertIssuerName" and

# "ocsp.responderCertSerialNumber" properties must be used instead. When this

# property is set then those two properties are ignored.

#

# Example,

#   ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"

#

# Issuer name of the OCSP responder's certificate

#

# By default, the certificate of the OCSP responder is that of the issuer

# of the certificate being validated. This property identifies the certificate

# of the OCSP responder when the default does not apply. Its value is a string