Appendix C: Runtime Properties
Security properties for OCSP
Property Name | Description |
---|---|
ocsp.enable |
This property's value is either true or false. If true, OCSP checking is enabled when doing certificate revocation checking; if false or not set, OCSP checking is disabled. |
ocsp.responderURL |
This property's value is a URL that identifies the location of the OCSP responder. Here is an
example.
By default, the location of the OCSP responder is determined implicitly from the certificate being validated. The property is used when the Authority Information Access extension (defined in RFC 3280) is absent from the certificate or when it requires overriding. |
ocsp.responderCertSubjectName |
This property's value is the subject name of the OCSP responder's certificate. Here is an
example.
By
default, the certificate of the OCSP responder is that of the issuer of the certificate being
validated. This property identifies the certificate of the OCSP responder when the default does not
apply. Its value is a string distinguished name (defined in RFC 2253) which identifies a certificate
in the set of certificates supplied during cert path validation. In cases where the subject name
alone is not sufficient to uniquely identify the certificate, then both the
|
ocsp.responderCertIssuerName |
This property's value is the issuer name of the OCSP responder's certificate. Here is an
example.
By
default, the certificate of the OCSP responder is that of the issuer of the certificate being
validated. This property identifies the certificate of the OCSP responder when the default does not
apply. Its value is a string distinguished name (defined in RFC 2253) which identifies a certificate
in the set of certificates supplied during cert path validation. When this property is set then the
|
ocsp.responderCertSerialNumber |
This property's value is the serial number of the OCSP responder's certificate Here is an
example.
By default, the
certificate of the OCSP responder is that of the issuer of the certificate being validated. This
property identifies the certificate of the OCSP responder when the default does not apply. Its value
is a string of hexadecimal digits (colon or space separators may be present) which identifies a
certificate in the set of certificates supplied during cert path validation. When this property is
set then the |
com.ibm.security.ocsp.clockSkew |
Use this property to set the allowable clock
skew for the validity interval of the OCSP response, in seconds. If
the OCSP response indicates that the response is valid between time t1 and
time t2 , the current time must be between t1-clockSkew and t2+clockSkew .
If the value is smaller than 0 or not set, the clock skew is set to
900 seconds by default. |
com.ibm.security.ocsp.timeout |
Use this property to set the timeout value of the connection to the OCSP server, in seconds. A timeout of zero is interpreted as an infinite timeout. If the value is smaller than 0 or not set, the timeout is set to 15 seconds by default. |
These properties may be set either staticly in the Java™ runtime environment's $JAVA_HOME/jre/lib/security/java.security
file,
or dynamically using the java.security.Security.setProperty()
method.
By
default, OCSP checking is not enabled. It is enabled by setting the ocsp.enable
property
to "true"
. Use of the remaining properties is optional.
Note that enabling OCSP checking only has an effect if revocation
checking has also been enabled. Revocation checking is enabled via
the PKIXParameters.setRevocationEnabled()
method.
PKIXParameters RevocationEnabled (default=true) | ocsp.enabled (default=false) |
Behavior |
---|---|---|
true | true | Revocation checking using OCSP, failover to using CRLs |
true | false | Revocation checking using CRLs only |
false | true | No revocation checking |
false | false | No revocation checking |
Security property for disabling cryptographic algorithms
The jdk.certpath.disabledAlgorithms
security property contains a list of
cryptographic algorithms that are not allowed during certification path processing. The syntax of
this property is described more fully within the jre/lib/security/java.security
file, but it is briefly described here.
The security property contains a list of cryptographic algorithms that must not be used. The algorithm names are separated by commas. The security property can also be used to place restrictions on key sizes.
java.security
specifies that the MD2 and DSA
algorithms must not be used for certification path processing, and that the use of RSA key sizes
less than 2048 bits is disabled:
jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
System properties
Property Name | Description |
---|---|
com.ibm.security.crls.timeout |
Use this property to set the timeout value of the connection to a remote CRL, in seconds. A remote CRL is a CRL that is accessed through a certificate's CRL distribution point, or from a URICertStore object. A timeout of zero is interpreted as an infinite timeout. If the value is smaller than 0 or not set, the timeout is set to 15 seconds by default. |
com.ibm.security.enableAIAEXT |
This property's value is either “true” or “false”. If “true”, then any Authority Information Access extensions found within the certificates of the certificate path being built will be examined to learn whether they contain LDAP URI's. For each LDAP URI found, an LDAPCertStore object is created and added to the collection of CertStores used to locate other certificates needed to build the certificate path. If “false” or not set, then these additional LDAPCertStore objects are not created. |
com.ibm.security.enableCRLDP |
This property's value is either “true” or “false”. If “true”, checking CRL by locating it using the URL from CRL distribution points extension of the certificate is enabled when doing certificate revocation checking; if “false” or not set, then checking CRL by using the CRL distribution points extension is disabled. |
com.ibm.security.enableDELTACRL |
This property's value is either “true” or “false”. If “true”, and if revocation checking is enabled by the user, then both delta CRL's and complete CRL's will be used to determine the revocation status of a certificate. If “false” or not set, then only complete CRL's will be used to determine the revocation status of a certificate. |
com.ibm.security.onlyCheckRevocationOfEECert |
The value of this optional Java system property can be set to either “true” or “false”. If set to “true”, CertPath performs revocation checking only upon the end-entity certificate of the certificate chain. If unspecified or set to “false”, then CertPath performs revocation checking upon all the certificates of the certificate chain, with the exception of the trusted root certificate (TrustAnchor). |
ibm.security.certpath.ldap.cache.lifetime |
This property can be used to set the lifetime of entries in the memory cache of LDAP CertStore to a value in seconds. A value of 0 disables the cache; -1 means unlimited lifetime. If not set, the default lifetime is 30 seconds. |