Appendix C: Runtime Properties

Security properties for OCSP

OCSP checking is controlled by the following five, new security properties:

Property Name	Description
`ocsp.enable`	This property's value is either true or false. If true, OCSP checking is enabled when doing certificate revocation checking; if false or not set, OCSP checking is disabled.
`ocsp.responderURL`	This property's value is a URL that identifies the location of the OCSP responder. Here is an example. `ocsp.responderURL=http://ocsp.example.net:80` By default, the location of the OCSP responder is determined implicitly from the certificate being validated. The property is used when the Authority Information Access extension (defined in RFC 3280) is absent from the certificate or when it requires overriding.
`ocsp.responderCertSubjectName`	This property's value is the subject name of the OCSP responder's certificate. Here is an example. `ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"` By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated. This property identifies the certificate of the OCSP responder when the default does not apply. Its value is a string distinguished name (defined in RFC 2253) which identifies a certificate in the set of certificates supplied during cert path validation. In cases where the subject name alone is not sufficient to uniquely identify the certificate, then both the `ocsp.responderCertIssuerName` and `ocsp.responderCertSerialNumber` properties must be used instead. When this property is set, then those two properties are ignored.
`ocsp.responderCertIssuerName`	This property's value is the issuer name of the OCSP responder's certificate. Here is an example. `ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"` By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated. This property identifies the certificate of the OCSP responder when the default does not apply. Its value is a string distinguished name (defined in RFC 2253) which identifies a certificate in the set of certificates supplied during cert path validation. When this property is set then the `ocsp.responderCertSerialNumber` property must also be set. Note that this property is ignored when the `ocsp.responderCertSubjectName` property has been set.
`ocsp.responderCertSerialNumber`	This property's value is the serial number of the OCSP responder's certificate Here is an example. `ocsp.responderCertSerialNumber=2A:FF:00` By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated. This property identifies the certificate of the OCSP responder when the default does not apply. Its value is a string of hexadecimal digits (colon or space separators may be present) which identifies a certificate in the set of certificates supplied during cert path validation. When this property is set then the `ocsp.responderCertIssuerName` property must also be set. Note that this property is ignored when the `ocsp.responderCertSubjectName` property has been set.
`com.ibm.security.ocsp.clockSkew`	Use this property to set the allowable clock skew for the validity interval of the OCSP response, in seconds. If the OCSP response indicates that the response is valid between time `t1` and time `t2`, the current time must be between `t1-clockSkew` and `t2+clockSkew`. If the value is smaller than 0 or not set, the clock skew is set to 900 seconds by default.
`com.ibm.security.ocsp.timeout`	Use this property to set the timeout value of the connection to the OCSP server, in seconds. A timeout of zero is interpreted as an infinite timeout. If the value is smaller than 0 or not set, the timeout is set to 15 seconds by default.

These properties may be set either staticly in the Java™ runtime environment's $JAVA_HOME/jre/lib/security/java.security file, or dynamically using the java.security.Security.setProperty() method.

By default, OCSP checking is not enabled. It is enabled by setting the ocsp.enable property to "true". Use of the remaining properties is optional. Note that enabling OCSP checking only has an effect if revocation checking has also been enabled. Revocation checking is enabled via the PKIXParameters.setRevocationEnabled() method.

OCSP checking works in conjunction with Certificate Revocation Lists (CRLs) during revocation checking. The following table is a summary of the interaction of OCSP and CRLs. Failover to CRLs occurs only if an OCSP problem is encountered. Failover does not occur if the OCSP responder confirms either that the certificate has been revoked or that it has not been revoked.

PKIXParameters RevocationEnabled (default=true)	`ocsp.enabled` (default=false)	Behavior
true	true	Revocation checking using OCSP, failover to using CRLs
true	false	Revocation checking using CRLs only
false	true	No revocation checking
false	false	No revocation checking

Security property for disabling cryptographic algorithms

The jdk.certpath.disabledAlgorithms security property contains a list of cryptographic algorithms that are not allowed during certification path processing. The syntax of this property is described more fully within the jre/lib/security/java.security file, but it is briefly described here.

The security property contains a list of cryptographic algorithms that must not be used. The algorithm names are separated by commas. The security property can also be used to place restrictions on key sizes.

For example, the following line in java.security specifies that the MD2 and DSA algorithms must not be used for certification path processing, and that the use of RSA key sizes less than 2048 bits is disabled:

jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048

System properties

Property Name	Description
`com.ibm.security.crls.timeout`	Use this property to set the timeout value of the connection to a remote CRL, in seconds. A remote CRL is a CRL that is accessed through a certificate's CRL distribution point, or from a URICertStore object. A timeout of zero is interpreted as an infinite timeout. If the value is smaller than 0 or not set, the timeout is set to 15 seconds by default.
`com.ibm.security.enableAIAEXT`	This property's value is either “true” or “false”. If “true”, then any Authority Information Access extensions found within the certificates of the certificate path being built will be examined to learn whether they contain LDAP URI's. For each LDAP URI found, an LDAPCertStore object is created and added to the collection of CertStores used to locate other certificates needed to build the certificate path. If “false” or not set, then these additional LDAPCertStore objects are not created.
`com.ibm.security.enableCRLDP`	This property's value is either “true” or “false”. If “true”, checking CRL by locating it using the URL from CRL distribution points extension of the certificate is enabled when doing certificate revocation checking; if “false” or not set, then checking CRL by using the CRL distribution points extension is disabled.
`com.ibm.security.enableDELTACRL`	This property's value is either “true” or “false”. If “true”, and if revocation checking is enabled by the user, then both delta CRL's and complete CRL's will be used to determine the revocation status of a certificate. If “false” or not set, then only complete CRL's will be used to determine the revocation status of a certificate.
`com.ibm.security.onlyCheckRevocationOfEECert`	The value of this optional Java system property can be set to either “true” or “false”. If set to “true”, CertPath performs revocation checking only upon the end-entity certificate of the certificate chain. If unspecified or set to “false”, then CertPath performs revocation checking upon all the certificates of the certificate chain, with the exception of the trusted root certificate (TrustAnchor).
`ibm.security.certpath.ldap.cache.lifetime`	This property can be used to set the lifetime of entries in the memory cache of LDAP CertStore to a value in seconds. A value of 0 disables the cache; -1 means unlimited lifetime. If not set, the default lifetime is 30 seconds.