jdk/src/java.base/share/conf/security/java.security-solaris
changeset 25859 3317bb8137f4
parent 25543 6655212b3399
equal deleted inserted replaced
25858:836adbf7a2cd 25859:3317bb8137f4
       
     1 #
       
     2 # This is the "master security properties file".
       
     3 #
       
     4 # An alternate java.security properties file may be specified
       
     5 # from the command line via the system property
       
     6 #
       
     7 #    -Djava.security.properties=<URL>
       
     8 #
       
     9 # This properties file appends to the master security properties file.
       
    10 # If both properties files specify values for the same key, the value
       
    11 # from the command-line properties file is selected, as it is the last
       
    12 # one loaded.
       
    13 #
       
    14 # Also, if you specify
       
    15 #
       
    16 #    -Djava.security.properties==<URL> (2 equals),
       
    17 #
       
    18 # then that properties file completely overrides the master security
       
    19 # properties file.
       
    20 #
       
    21 # To disable the ability to specify an additional properties file from
       
    22 # the command line, set the key security.overridePropertiesFile
       
    23 # to false in the master security properties file. It is set to true
       
    24 # by default.
       
    25 
       
    26 # In this file, various security properties are set for use by
       
    27 # java.security classes. This is where users can statically register
       
    28 # Cryptography Package Providers ("providers" for short). The term
       
    29 # "provider" refers to a package or set of packages that supply a
       
    30 # concrete implementation of a subset of the cryptography aspects of
       
    31 # the Java Security API. A provider may, for example, implement one or
       
    32 # more digital signature algorithms or message digest algorithms.
       
    33 #
       
    34 # Each provider must implement a subclass of the Provider class.
       
    35 # To register a provider in this master security properties file,
       
    36 # specify the Provider subclass name and priority in the format
       
    37 #
       
    38 #    security.provider.<n>=<className>
       
    39 #
       
    40 # This declares a provider, and specifies its preference
       
    41 # order n. The preference order is the order in which providers are
       
    42 # searched for requested algorithms (when no specific provider is
       
    43 # requested). The order is 1-based; 1 is the most preferred, followed
       
    44 # by 2, and so on.
       
    45 #
       
    46 # <className> must specify the subclass of the Provider class whose
       
    47 # constructor sets the values of various properties that are required
       
    48 # for the Java Security API to look up the algorithms or other
       
    49 # facilities implemented by the provider.
       
    50 #
       
    51 # There must be at least one provider specification in java.security.
       
    52 # There is a default provider that comes standard with the JDK. It
       
    53 # is called the "SUN" provider, and its Provider subclass
       
    54 # named Sun appears in the sun.security.provider package. Thus, the
       
    55 # "SUN" provider is registered via the following:
       
    56 #
       
    57 #    security.provider.1=sun.security.provider.Sun
       
    58 #
       
    59 # (The number 1 is used for the default provider.)
       
    60 #
       
    61 # Note: Providers can be dynamically registered instead by calls to
       
    62 # either the addProvider or insertProviderAt method in the Security
       
    63 # class.
       
    64 
       
    65 #
       
    66 # List of providers and their preference orders (see above):
       
    67 #
       
    68 security.provider.1=com.oracle.security.ucrypto.UcryptoProvider ${java.home}/lib/security/ucrypto-solaris.cfg
       
    69 security.provider.2=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/sunpkcs11-solaris.cfg
       
    70 security.provider.3=sun.security.provider.Sun
       
    71 security.provider.4=sun.security.rsa.SunRsaSign
       
    72 security.provider.5=sun.security.ec.SunEC
       
    73 security.provider.6=com.sun.net.ssl.internal.ssl.Provider
       
    74 security.provider.7=com.sun.crypto.provider.SunJCE
       
    75 security.provider.8=sun.security.jgss.SunProvider
       
    76 security.provider.9=com.sun.security.sasl.Provider
       
    77 security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI
       
    78 security.provider.11=sun.security.smartcardio.SunPCSC
       
    79 
       
    80 #
       
    81 # Sun Provider SecureRandom seed source.
       
    82 #
       
    83 # Select the primary source of seed data for the "SHA1PRNG" and
       
    84 # "NativePRNG" SecureRandom implementations in the "Sun" provider.
       
    85 # (Other SecureRandom implementations might also use this property.)
       
    86 #
       
    87 # On Unix-like systems (for example, Solaris/Linux/MacOS), the
       
    88 # "NativePRNG" and "SHA1PRNG" implementations obtains seed data from
       
    89 # special device files such as file:/dev/random.
       
    90 #
       
    91 # On Windows systems, specifying the URLs "file:/dev/random" or
       
    92 # "file:/dev/urandom" will enable the native Microsoft CryptoAPI seeding
       
    93 # mechanism for SHA1PRNG.
       
    94 #
       
    95 # By default, an attempt is made to use the entropy gathering device
       
    96 # specified by the "securerandom.source" Security property.  If an
       
    97 # exception occurs while accessing the specified URL:
       
    98 #
       
    99 #     SHA1PRNG:
       
   100 #         the traditional system/thread activity algorithm will be used.
       
   101 #
       
   102 #     NativePRNG:
       
   103 #         a default value of /dev/random will be used.  If neither
       
   104 #         are available, the implementation will be disabled.
       
   105 #         "file" is the only currently supported protocol type.
       
   106 #
       
   107 # The entropy gathering device can also be specified with the System
       
   108 # property "java.security.egd". For example:
       
   109 #
       
   110 #   % java -Djava.security.egd=file:/dev/random MainClass
       
   111 #
       
   112 # Specifying this System property will override the
       
   113 # "securerandom.source" Security property.
       
   114 #
       
   115 # In addition, if "file:/dev/random" or "file:/dev/urandom" is
       
   116 # specified, the "NativePRNG" implementation will be more preferred than
       
   117 # SHA1PRNG in the Sun provider.
       
   118 #
       
   119 securerandom.source=file:/dev/random
       
   120 
       
   121 #
       
   122 # A list of known strong SecureRandom implementations.
       
   123 #
       
   124 # To help guide applications in selecting a suitable strong
       
   125 # java.security.SecureRandom implementation, Java distributions should
       
   126 # indicate a list of known strong implementations using the property.
       
   127 #
       
   128 # This is a comma-separated list of algorithm and/or algorithm:provider
       
   129 # entries.
       
   130 #
       
   131 securerandom.strongAlgorithms=NativePRNGBlocking:SUN
       
   132 
       
   133 #
       
   134 # Class to instantiate as the javax.security.auth.login.Configuration
       
   135 # provider.
       
   136 #
       
   137 login.configuration.provider=sun.security.provider.ConfigFile
       
   138 
       
   139 #
       
   140 # Default login configuration file
       
   141 #
       
   142 #login.config.url.1=file:${user.home}/.java.login.config
       
   143 
       
   144 #
       
   145 # Class to instantiate as the system Policy. This is the name of the class
       
   146 # that will be used as the Policy object.
       
   147 #
       
   148 policy.provider=sun.security.provider.PolicyFile
       
   149 
       
   150 # The default is to have a single system-wide policy file,
       
   151 # and a policy file in the user's home directory.
       
   152 policy.url.1=file:${java.home}/lib/security/java.policy
       
   153 policy.url.2=file:${user.home}/.java.policy
       
   154 
       
   155 # whether or not we expand properties in the policy file
       
   156 # if this is set to false, properties (${...}) will not be expanded in policy
       
   157 # files.
       
   158 policy.expandProperties=true
       
   159 
       
   160 # whether or not we allow an extra policy to be passed on the command line
       
   161 # with -Djava.security.policy=somefile. Comment out this line to disable
       
   162 # this feature.
       
   163 policy.allowSystemProperty=true
       
   164 
       
   165 # whether or not we look into the IdentityScope for trusted Identities
       
   166 # when encountering a 1.1 signed JAR file. If the identity is found
       
   167 # and is trusted, we grant it AllPermission.
       
   168 policy.ignoreIdentityScope=false
       
   169 
       
   170 #
       
   171 # Default keystore type.
       
   172 #
       
   173 keystore.type=jks
       
   174 
       
   175 #
       
   176 # List of comma-separated packages that start with or equal this string
       
   177 # will cause a security exception to be thrown when
       
   178 # passed to checkPackageAccess unless the
       
   179 # corresponding RuntimePermission ("accessClassInPackage."+package) has
       
   180 # been granted.
       
   181 package.access=sun.,\
       
   182                com.sun.xml.internal.,\
       
   183                com.sun.imageio.,\
       
   184                com.sun.istack.internal.,\
       
   185                com.sun.jmx.,\
       
   186                com.sun.media.sound.,\
       
   187                com.sun.naming.internal.,\
       
   188                com.sun.proxy.,\
       
   189                com.sun.corba.se.,\
       
   190                com.sun.org.apache.bcel.internal.,\
       
   191                com.sun.org.apache.regexp.internal.,\
       
   192                com.sun.org.apache.xerces.internal.,\
       
   193                com.sun.org.apache.xpath.internal.,\
       
   194                com.sun.org.apache.xalan.internal.extensions.,\
       
   195                com.sun.org.apache.xalan.internal.lib.,\
       
   196                com.sun.org.apache.xalan.internal.res.,\
       
   197                com.sun.org.apache.xalan.internal.templates.,\
       
   198                com.sun.org.apache.xalan.internal.utils.,\
       
   199                com.sun.org.apache.xalan.internal.xslt.,\
       
   200                com.sun.org.apache.xalan.internal.xsltc.cmdline.,\
       
   201                com.sun.org.apache.xalan.internal.xsltc.compiler.,\
       
   202                com.sun.org.apache.xalan.internal.xsltc.trax.,\
       
   203                com.sun.org.apache.xalan.internal.xsltc.util.,\
       
   204                com.sun.org.apache.xml.internal.res.,\
       
   205                com.sun.org.apache.xml.internal.security.,\
       
   206                com.sun.org.apache.xml.internal.serializer.utils.,\
       
   207                com.sun.org.apache.xml.internal.utils.,\
       
   208                com.sun.org.glassfish.,\
       
   209                com.oracle.xmlns.internal.,\
       
   210                com.oracle.webservices.internal.,\
       
   211                org.jcp.xml.dsig.internal.,\
       
   212                jdk.internal.,\
       
   213                jdk.nashorn.internal.,\
       
   214                jdk.nashorn.tools.,\
       
   215                com.sun.activation.registries.
       
   216 
       
   217 #
       
   218 # List of comma-separated packages that start with or equal this string
       
   219 # will cause a security exception to be thrown when
       
   220 # passed to checkPackageDefinition unless the
       
   221 # corresponding RuntimePermission ("defineClassInPackage."+package) has
       
   222 # been granted.
       
   223 #
       
   224 # by default, none of the class loaders supplied with the JDK call
       
   225 # checkPackageDefinition.
       
   226 #
       
   227 package.definition=sun.,\
       
   228                    com.sun.xml.internal.,\
       
   229                    com.sun.imageio.,\
       
   230                    com.sun.istack.internal.,\
       
   231                    com.sun.jmx.,\
       
   232                    com.sun.media.sound.,\
       
   233                    com.sun.naming.internal.,\
       
   234                    com.sun.proxy.,\
       
   235                    com.sun.corba.se.,\
       
   236                    com.sun.org.apache.bcel.internal.,\
       
   237                    com.sun.org.apache.regexp.internal.,\
       
   238                    com.sun.org.apache.xerces.internal.,\
       
   239                    com.sun.org.apache.xpath.internal.,\
       
   240                    com.sun.org.apache.xalan.internal.extensions.,\
       
   241                    com.sun.org.apache.xalan.internal.lib.,\
       
   242                    com.sun.org.apache.xalan.internal.res.,\
       
   243                    com.sun.org.apache.xalan.internal.templates.,\
       
   244                    com.sun.org.apache.xalan.internal.utils.,\
       
   245                    com.sun.org.apache.xalan.internal.xslt.,\
       
   246                    com.sun.org.apache.xalan.internal.xsltc.cmdline.,\
       
   247                    com.sun.org.apache.xalan.internal.xsltc.compiler.,\
       
   248                    com.sun.org.apache.xalan.internal.xsltc.trax.,\
       
   249                    com.sun.org.apache.xalan.internal.xsltc.util.,\
       
   250                    com.sun.org.apache.xml.internal.res.,\
       
   251                    com.sun.org.apache.xml.internal.security.,\
       
   252                    com.sun.org.apache.xml.internal.serializer.utils.,\
       
   253                    com.sun.org.apache.xml.internal.utils.,\
       
   254                    com.sun.org.glassfish.,\
       
   255                    com.oracle.xmlns.internal.,\
       
   256                    com.oracle.webservices.internal.,\
       
   257                    org.jcp.xml.dsig.internal.,\
       
   258                    jdk.internal.,\
       
   259                    jdk.nashorn.internal.,\
       
   260                    jdk.nashorn.tools.,\
       
   261                    com.sun.activation.registries.
       
   262 
       
   263 #
       
   264 # Determines whether this properties file can be appended to
       
   265 # or overridden on the command line via -Djava.security.properties
       
   266 #
       
   267 security.overridePropertiesFile=true
       
   268 
       
   269 #
       
   270 # Determines the default key and trust manager factory algorithms for
       
   271 # the javax.net.ssl package.
       
   272 #
       
   273 ssl.KeyManagerFactory.algorithm=SunX509
       
   274 ssl.TrustManagerFactory.algorithm=PKIX
       
   275 
       
   276 #
       
   277 # The Java-level namelookup cache policy for successful lookups:
       
   278 #
       
   279 # any negative value: caching forever
       
   280 # any positive value: the number of seconds to cache an address for
       
   281 # zero: do not cache
       
   282 #
       
   283 # default value is forever (FOREVER). For security reasons, this
       
   284 # caching is made forever when a security manager is set. When a security
       
   285 # manager is not set, the default behavior in this implementation
       
   286 # is to cache for 30 seconds.
       
   287 #
       
   288 # NOTE: setting this to anything other than the default value can have
       
   289 #       serious security implications. Do not set it unless
       
   290 #       you are sure you are not exposed to DNS spoofing attack.
       
   291 #
       
   292 #networkaddress.cache.ttl=-1
       
   293 
       
   294 # The Java-level namelookup cache policy for failed lookups:
       
   295 #
       
   296 # any negative value: cache forever
       
   297 # any positive value: the number of seconds to cache negative lookup results
       
   298 # zero: do not cache
       
   299 #
       
   300 # In some Microsoft Windows networking environments that employ
       
   301 # the WINS name service in addition to DNS, name service lookups
       
   302 # that fail may take a noticeably long time to return (approx. 5 seconds).
       
   303 # For this reason the default caching policy is to maintain these
       
   304 # results for 10 seconds.
       
   305 #
       
   306 #
       
   307 networkaddress.cache.negative.ttl=10
       
   308 
       
   309 #
       
   310 # Properties to configure OCSP for certificate revocation checking
       
   311 #
       
   312 
       
   313 # Enable OCSP
       
   314 #
       
   315 # By default, OCSP is not used for certificate revocation checking.
       
   316 # This property enables the use of OCSP when set to the value "true".
       
   317 #
       
   318 # NOTE: SocketPermission is required to connect to an OCSP responder.
       
   319 #
       
   320 # Example,
       
   321 #   ocsp.enable=true
       
   322 
       
   323 #
       
   324 # Location of the OCSP responder
       
   325 #
       
   326 # By default, the location of the OCSP responder is determined implicitly
       
   327 # from the certificate being validated. This property explicitly specifies
       
   328 # the location of the OCSP responder. The property is used when the
       
   329 # Authority Information Access extension (defined in RFC 3280) is absent
       
   330 # from the certificate or when it requires overriding.
       
   331 #
       
   332 # Example,
       
   333 #   ocsp.responderURL=http://ocsp.example.net:80
       
   334 
       
   335 #
       
   336 # Subject name of the OCSP responder's certificate
       
   337 #
       
   338 # By default, the certificate of the OCSP responder is that of the issuer
       
   339 # of the certificate being validated. This property identifies the certificate
       
   340 # of the OCSP responder when the default does not apply. Its value is a string
       
   341 # distinguished name (defined in RFC 2253) which identifies a certificate in
       
   342 # the set of certificates supplied during cert path validation. In cases where
       
   343 # the subject name alone is not sufficient to uniquely identify the certificate
       
   344 # then both the "ocsp.responderCertIssuerName" and
       
   345 # "ocsp.responderCertSerialNumber" properties must be used instead. When this
       
   346 # property is set then those two properties are ignored.
       
   347 #
       
   348 # Example,
       
   349 #   ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
       
   350 
       
   351 #
       
   352 # Issuer name of the OCSP responder's certificate
       
   353 #
       
   354 # By default, the certificate of the OCSP responder is that of the issuer
       
   355 # of the certificate being validated. This property identifies the certificate
       
   356 # of the OCSP responder when the default does not apply. Its value is a string
       
   357 # distinguished name (defined in RFC 2253) which identifies a certificate in
       
   358 # the set of certificates supplied during cert path validation. When this
       
   359 # property is set then the "ocsp.responderCertSerialNumber" property must also
       
   360 # be set. When the "ocsp.responderCertSubjectName" property is set then this
       
   361 # property is ignored.
       
   362 #
       
   363 # Example,
       
   364 #   ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
       
   365 
       
   366 #
       
   367 # Serial number of the OCSP responder's certificate
       
   368 #
       
   369 # By default, the certificate of the OCSP responder is that of the issuer
       
   370 # of the certificate being validated. This property identifies the certificate
       
   371 # of the OCSP responder when the default does not apply. Its value is a string
       
   372 # of hexadecimal digits (colon or space separators may be present) which
       
   373 # identifies a certificate in the set of certificates supplied during cert path
       
   374 # validation. When this property is set then the "ocsp.responderCertIssuerName"
       
   375 # property must also be set. When the "ocsp.responderCertSubjectName" property
       
   376 # is set then this property is ignored.
       
   377 #
       
   378 # Example,
       
   379 #   ocsp.responderCertSerialNumber=2A:FF:00
       
   380 
       
   381 #
       
   382 # Policy for failed Kerberos KDC lookups:
       
   383 #
       
   384 # When a KDC is unavailable (network error, service failure, etc), it is
       
   385 # put inside a blacklist and accessed less often for future requests. The
       
   386 # value (case-insensitive) for this policy can be:
       
   387 #
       
   388 # tryLast
       
   389 #    KDCs in the blacklist are always tried after those not on the list.
       
   390 #
       
   391 # tryLess[:max_retries,timeout]
       
   392 #    KDCs in the blacklist are still tried by their order in the configuration,
       
   393 #    but with smaller max_retries and timeout values. max_retries and timeout
       
   394 #    are optional numerical parameters (default 1 and 5000, which means once
       
   395 #    and 5 seconds). Please notes that if any of the values defined here is
       
   396 #    more than what is defined in krb5.conf, it will be ignored.
       
   397 #
       
   398 # Whenever a KDC is detected as available, it is removed from the blacklist.
       
   399 # The blacklist is reset when krb5.conf is reloaded. You can add
       
   400 # refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
       
   401 # reloaded whenever a JAAS authentication is attempted.
       
   402 #
       
   403 # Example,
       
   404 #   krb5.kdc.bad.policy = tryLast
       
   405 #   krb5.kdc.bad.policy = tryLess:2,2000
       
   406 krb5.kdc.bad.policy = tryLast
       
   407 
       
   408 # Algorithm restrictions for certification path (CertPath) processing
       
   409 #
       
   410 # In some environments, certain algorithms or key lengths may be undesirable
       
   411 # for certification path building and validation.  For example, "MD2" is
       
   412 # generally no longer considered to be a secure hash algorithm.  This section
       
   413 # describes the mechanism for disabling algorithms based on algorithm name
       
   414 # and/or key length.  This includes algorithms used in certificates, as well
       
   415 # as revocation information such as CRLs and signed OCSP Responses.
       
   416 #
       
   417 # The syntax of the disabled algorithm string is described as this Java
       
   418 # BNF-style:
       
   419 #   DisabledAlgorithms:
       
   420 #       " DisabledAlgorithm { , DisabledAlgorithm } "
       
   421 #
       
   422 #   DisabledAlgorithm:
       
   423 #       AlgorithmName [Constraint]
       
   424 #
       
   425 #   AlgorithmName:
       
   426 #       (see below)
       
   427 #
       
   428 #   Constraint:
       
   429 #       KeySizeConstraint
       
   430 #
       
   431 #   KeySizeConstraint:
       
   432 #       keySize Operator DecimalInteger
       
   433 #
       
   434 #   Operator:
       
   435 #       <= | < | == | != | >= | >
       
   436 #
       
   437 #   DecimalInteger:
       
   438 #       DecimalDigits
       
   439 #
       
   440 #   DecimalDigits:
       
   441 #       DecimalDigit {DecimalDigit}
       
   442 #
       
   443 #   DecimalDigit: one of
       
   444 #       1 2 3 4 5 6 7 8 9 0
       
   445 #
       
   446 # The "AlgorithmName" is the standard algorithm name of the disabled
       
   447 # algorithm. See "Java Cryptography Architecture Standard Algorithm Name
       
   448 # Documentation" for information about Standard Algorithm Names.  Matching
       
   449 # is performed using a case-insensitive sub-element matching rule.  (For
       
   450 # example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
       
   451 # "ECDSA" for signatures.)  If the assertion "AlgorithmName" is a
       
   452 # sub-element of the certificate algorithm name, the algorithm will be
       
   453 # rejected during certification path building and validation.  For example,
       
   454 # the assertion algorithm name "DSA" will disable all certificate algorithms
       
   455 # that rely on DSA, such as NONEwithDSA, SHA1withDSA.  However, the assertion
       
   456 # will not disable algorithms related to "ECDSA".
       
   457 #
       
   458 # A "Constraint" provides further guidance for the algorithm being specified.
       
   459 # The "KeySizeConstraint" requires a key of a valid size range if the
       
   460 # "AlgorithmName" is of a key algorithm.  The "DecimalInteger" indicates the
       
   461 # key size specified in number of bits.  For example, "RSA keySize <= 1024"
       
   462 # indicates that any RSA key with key size less than or equal to 1024 bits
       
   463 # should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
       
   464 # that any RSA key with key size less than 1024 or greater than 2048 should
       
   465 # be disabled. Note that the "KeySizeConstraint" only makes sense to key
       
   466 # algorithms.
       
   467 #
       
   468 # Note: This property is currently used by Oracle's PKIX implementation. It
       
   469 # is not guaranteed to be examined and used by other implementations.
       
   470 #
       
   471 # Example:
       
   472 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
       
   473 #
       
   474 #
       
   475 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
       
   476 
       
   477 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
       
   478 # (SSL/TLS) processing
       
   479 #
       
   480 # In some environments, certain algorithms or key lengths may be undesirable
       
   481 # when using SSL/TLS.  This section describes the mechanism for disabling
       
   482 # algorithms during SSL/TLS security parameters negotiation, including cipher
       
   483 # suites selection, peer authentication and key exchange mechanisms.
       
   484 #
       
   485 # For PKI-based peer authentication and key exchange mechanisms, this list
       
   486 # of disabled algorithms will also be checked during certification path
       
   487 # building and validation, including algorithms used in certificates, as
       
   488 # well as revocation information such as CRLs and signed OCSP Responses.
       
   489 # This is in addition to the jdk.certpath.disabledAlgorithms property above.
       
   490 #
       
   491 # See the specification of "jdk.certpath.disabledAlgorithms" for the
       
   492 # syntax of the disabled algorithm string.
       
   493 #
       
   494 # Note: This property is currently used by Oracle's JSSE implementation.
       
   495 # It is not guaranteed to be examined and used by other implementations.
       
   496 #
       
   497 # Example:
       
   498 #   jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048